企业信息安全的建议：Proposal of Information Security for an Enterprise

Abstract摘要

 

一个大型复杂企业网络的安全性维护是一个困难而且艰巨的任务。企业中的各种应用程序支持着企业的各种关键性业务，但从本质上来说，在不同的应用程序和操作系统的新漏洞几乎每天都能被发现的今天，这些都是不安全的。

The security of a large complex enterprise network is a difficult and daunting task. Critical business needs rely on numerous types of operating systems running various applications that are inherently not secure. New vulnerabilities in various applications and operating systems are found every day. The rapid increase to guard against known vulnerabilities being released shows an essential need to implement an enterprise-wide process. This paper details one means of tracking the multitude of serious vulnerabilities that affect our fictitious large-scale enterprise network and require us to implement patches. The paper does not detail the difficulties that ensue when trying to determine what effect the patches may have on business applications, only how to manage the implementation of patches across the enterprise with a large yet busy staff of Information Technology (IT) and security professionals.

 

Introduction引言

 

从世界第一台电子计算机到今天的互联网普及，计算机的发展速度是非常快的。。计算机的发展伴随着人类信息时代的发展，网络的普及使人们当获取和传递信息有另外的选择，而这种选择是真正的自由主义。互联网使信息速度，信息质量和信息范围，对时间和空间来说产生了质的飞跃，这也使人们的许多梦想成真。

From first computer of the world to today's internet popularization, the develop speed of the computer is very fast. Computer's development takes digital information time for human culture .With the emergence of the computer network, make people have another choice when obtain and deliver information; and this choice is real liberalism. It makes speed, quality and scope of information have leap of quality on time and space; it also make people's many dreams come true.

 

The information system is a kind of technique system based on information technology. With the computer generalized application, it makes information system is expanded with large scale. At the same time, the information system also based on application of various computer technologies （Ciborra，2002). For example, the internet/ intranet/ Extranet technique carried out the share of enterprise internal information, and also takes the share of among enterprise's information. As a result information technology promotes information spread and enterprises communication. EDI( Electronic Data Interchange) technology on web takes EDI exchange of security and standard under the Internet environment; The SET (secure electronic transaction) technology can  secure deliver internet information and data; The database technique carries out share and update of business data on time, thus provide data and basis for management strategy of business.#p#分页标题#e#

 

But In recently years, more and more criminal offences appeared on the Internet, the information system security has become the social public problem for all nations; it must pay more attention. Some report show the American FBI investigates about 547 intrudes computer cases in 1998; the quantity of computer case achieved 1154 in 1999. The most serious problem is network porn become disaster, the copyrights of software, movie, record were infringed by pirates; the electronic commerce is disturbed by cheat, for example some credit card were robbed, some purchased merchandises disappear, an some merchandise were send out but not get payment (Legard, 2001);; hacker have already challenged computer and network many years, In the 1980s, most hackers committed fraud to get a username and password for a computer account, and then logged on to the computer without proper authorization, and browsed through files, copying some, deleting or altering others. Such work does not require any knowledge of computer programming, just a rudimentary knowledge of a few operating system commands. Since 2000, authors of malicious programs use resources readily available on the Internet to create a "new" computer virus or worm, or launch a denial of service attack. Again, such activities do not demonstrate a high level of proficiency in computer programming.  it still the potential danger. Information system security has become an important problem of criminology (Gliddon 2000; Weiss 2000);.

 

Today, the information system security has encompassed many aspects of computing and technology, and it is more recognizable than ever before. The information system security scale can be quite large, covering many fields. Information system security may include data management, networking, engineering computer hardware , database and software design, as well as the management and administration of entire systems.

 

Objectives目标

 

The purpose of comprehend computer and network crime lies in decrease and avoids this kind of crime, punish and prevent various network criminal offence, establish related law, and rise speed of internet development. The paper outlines: the nature of the computer crime problem and the challenges it presents; some computer crime technology and discuss related law;How to establish law and rules to prevent virtual crime in a large multination enterprise.

 

Statement of problem问题陈述

 

It is clear that security is a concern to every one. Organizations and businesses need to be interconnected but at the same time to have secure systems. Mechanisms in form of security patterns are put in place to safeguard information and information systems, but often such systems are not very secure and information is lost, manipulated or accessed illegally

 

Information system security management is very difficult and complexity with information development. This is deciding by the domestic and international information development condition. The information system security based on information industry develops (Aceituno, 2004). For example internet's appearance and development changes global information industry development on a certain degree. The United States is source of internet. And Worm is first network security affair by general recognize. It is an important turning point in information system security area. It changes peoples' knowledge for internet. After this affair, DARPA group of American army configures CERT (Computing Emergency Reflect Team).This also bring about American president signed computer security law. This is a sign that information system security becomes a elevated and special problem. At the same time, with the high speed develop of information technically, information security problem is more and more simple for attacker's technology require.#p#分页标题#e#

 

In the period of recent 15 years, the information security problem is more and more. We can see high speed increase of information system security from some CERT report of the United States. It has become a global hot issue. The cost of attack cost is lower than before. So the enterprise faces security problem is more and more. It is very difficult to protect enterprise information,

 

With social progress uninterrupted and business develop continuously of the enterprise, higher request putted forward for information system security, and information system security also got embodiment and strengthens. At previous information system security is more related with the aspect of quantitative decision-making, for example, the cost of information system security (Lindsay and John, 2000). But at present information system security is more complexity because of resource need is denser and customer need is more variously. The information system security still involves people’s idea, society system, management method, power structure and change of habit etc. problem. The information system security technology can't separate with environment.

 

In aspect of internal sub-system constitute of information system, information system security also behaved more social natures. So the information system security is related with social. For example MIS (Management Information System) security, its previous edition is MRP. MSI extended both sides of internal and external. Internal extend is use leap produce type to alternate enterprise produce management system. External extend is add strategy management and supply link management functions (Volle, Michel ,2006). Compare with the previous resource concept always limited in enterprise inside and decision making support main concentrated in MSI, ERP added strategy management system for support whole enterprise develop strategy. When the information system Faced the market environment of internationalization, the information system security can't only limit at enterprise inner part, but provide more overall information and own sharper market sense of smell.  

 

On the side of information system target, information system is also a kind of social system. For example the target of ERP is concentrate information and management in aspects of market programmed, advisement strategy, price strategy, service, sales, promotion, and forecast. Actually information system provides more support for decision making, but decision making is people's subjective consciousness and activities. With the development of information system, traditional structure decision-making support system has not already satisfied need, and the system will provide more intelligentize service.

 

In the aspect of management concept reflection, information system security has more social nature. For example ERP is new conception under market environment; it embodies a range of revolutions of management method and idea. ERP uses leap produce type to carry out global market promotion strategy and concentrate market promotion. At the same time it makes use of new technology opening and engineering design management module, let enterprise located in enterprise network under new market environment. Information system makes enterprise got information quickly and decision exactly.#p#分页标题#e#

Method of work

 

The research is an individual work, which I intend to do alone and where others make contributions it will be mentioned in my thesis. Reviewing necessary literature and answering questions of the problem definition, could be done anywhere, but in order to settle at once part of it will be done concurrently with other parts of research at the specified location of the case study in Section 1. The section 2 will involve studying existing models and to come up with a framework to compare the techniques.

 

In order to answer questions, it is necessary to do a case study in a developing country. To get vital information and a clear overview of infrastructure and organization, it will necessitate being at the organization for my initial research. The gathered information from the case study will then be a basis evaluation.

Acquiring basic knowledge of how security mechanism can improve. System security is beneficial but using the acquired knowledge and existing case studies will be fitting to evaluate security in a less developed country with network settings which are rare in a developed world

 

Management plan管理计划

 

From 1960 to nowadays more than 30 countries established computer and network related law with each country actual condition .Sweden established data law in 1973.It is involved computer crime problem .This is the first law about  protect computer data in the world. In 1978, Florida State of American established computer crime law; Subsequently 47 states in the U.S. implemented computer crime law. In 1991, 12 member countries of European Community authorized software copyright law. At the same year, International Federation for Information Processing (IFIP) convened world computer security law conference for the first time. Singapore promulgated management regulation in 1996.It requested that the company of providing network service must control information contents, in order to prevent some information were speeded about porn, religion and political. These laws provided necessary basis and power for prevent and crack down on virtual crime.

 

The virtual crime is crime offence of high technology and new type. A lot of criminal don't know what is forbidden; because some teenagers lack sense of law, so they often commit an offence on the internet under idea of seek novelty. In the period of perfect network and computer law, related department should improve education of law and computer user’s law sense. All members of society should fight for computer and network crime.

 

Following on from the scoping exercise, an analysis was undertaken by the Working Party and a strategy developed. The strategy was launched by Commissioners at the International Policing Conference. At this stage, the strategy identifies 5 important focus. They are:

Prevention;

Partnerships;

Education and Capability;

Resources and Capacity;

Regulation and Legislation.

 

However, it must be kept in mind that we are not just talking about esoteric IT-specific crimes when seeking to establish a prevention and response capacity in this area. Police must be as adept at dealing with a crime scene featuring a computer or related technology as they are currently with crime scenes without technological dimensions.

 

Some security problem happened in the process of information system outsourcing. The information system outsourcing means the supplier of IT service provides IT technology system or service to enterprise customer (Aubert, Rivard and Patry, 1993). It is a kind of management strategy. Outsourcing content includes enterprise employs outside service supplier developing internal information system. Enterprise makes use of service and technique of professional IT service company, can make the business enterprise acquire the IT service of high quality IT service and more economic, professional, and quickly complete necessary guarantee service. The security of outsourcing information system is also paid more attention. The company is very impressionable to the system security. This problem need not exaggerative, but have to recognize. In the system of outsourcing, because of having no company internal technology personnel follow in the whole process, the general business section easily ignore program loophole, and it is hard to discover back door procedure. Secondly, in the maintenance process, sometimes the company needs to provide enough information for solving problem (De Looff, 1996. These information will threaten capital secure.

 

Can information system security lower financial loss? For this problem, many peoples take skeptical attitude. This standpoint shows the cost of the software is much more than the cost which develops alone, this is just one part of clear cost (Willcocks and Fitzgerald, 1993. The security cost of software still occupies a very great comparison and even exceeds development cost. In the process of using software, peoples and software can't avoid some security problems. If there is no a specific role for security, usually get half the result with twice the effort. The role of CSO is balance cost and risk in a company.

 

However, the enterprise should enhance the quality of apply personnel under guarantee the stability, integrity, and security of information system. Then information system security is considered by the enterprise. This measure can guarantee system running stability, decrease cost, and ensure capital security. At present the company can make the best of talent human resource, transfer go-ahead’s, and develop information system under IT company coordination. This kind of form can make the technique support company and enterprises all have small cost and format double win. The information system security is valuable discussed by all related peoples. But we have to have a careful consideration and attain absolutely security. The leadership of company and grass-roots are concentrated and we will get a perfect result.#p#分页标题#e#

 

Plan of Action行动计划

 

Computer information system includes computer, related facilities and network. It is a kind of human-machine system. A computer information system collects, process, save, deliver, and retrieves information according to the applied target and the rule.

Intrude computer information system is a kind of very serious criminal offense. In 1993, several peoples obtained confidential computer system's passwords of American Department of Defense. In 1995, about 250,000 computer users visited American Pentagon computer information system. Even some people touched information about trajectory weapon investigation report and opened this information on internet. Virtual crime is very dangerous for nation security.

Intrude methods include as following:

 

Masquerading/mimicking. A way of masquerading is people make use of network design blemish, for example on the internet, a kind of special network which is called "the route marker" is decided that the information data confirm and send by the computer. Then intruder use blemish of network design deceive the special network. The user imitate legal user and get protected computer data resource. After that the related computer system will be controlled by intruder. The second way is intruder use others access password imitate into others computer network. The third way means intruder takes legal user type password or when legal customer over usage but still allied the machine occasion to obtain access (Galeotti 2000)..This is similar with when burglar pry door, but someone pass and then sneak into the door .Four is make use of illegal procedure or method to bilk legal user that just is registering toward the computer and get into system. For example, the piggyback technology means intruder follows others legal access handles to interfuse computer system.

 

Technological attack. It means intruder use a kind of technology defeat another one ,but don't adopt other methods, for example guess procedure, figure out password etc..The main purposes of technological attack is get into system with round or cancel hardware and software access control mechanism with get into system.

 

Back door. Generally back door is a portal for maintenance of program and system by software designer. It is conceal or camouflage. For example, a password of operate system may implicit a back door, it can make a certain list of control characters allow to visit manager account number (O’Balance, 2001). When a back door is discovered by the person, this system may be used out of malice by unauthorized user.

 

Trap door. In the computer technique, it is a kind of automatic transfer condition designed in advance for adjusting procedure or process the computer internal accident(PWGUCI, 2000, p.1). Generally the manufactory-self know trap door only and don't tell customer. The procedure should close trap after tune up. If the manufacturer forget close trap when deliver the goods. It will be exploited to round the protect mechanism, and then get into system.#p#分页标题#e#

 

3. Conclusion结论

 

However, information system security was admitted by widespread. Actually, many malice behaviors are complied in penal and civil law just recently. But still there are many problems need to research. For example, the law officials and public prosecution person whether accepted enough training to investigate and prosecute computer crime or not? Did the intrude database threat the security of nation? Some important nation service system, for example telephone system, is it destroyed very easily? Some research for a few colleges show the information system security isn't major. Computer crime isn't major of law school. Be a public prosecution person, they are stupid for the high technique crime. The police college should set up a course concerning information system security . Law schools will also know the target changed direction for invisible database of computer and electronics.

 

Increased funding for law enforcement, including training in cyber forensics, improved vehicles for international cooperation (like the efforts in the G-8 to create national points of contact for cybercrime), and effective national laws (modeled on the Council of Europe Cybercrime Treaty) will also help narrow the opportunities for cybercriminals. Carnegie Mellon’s CERT Coordination Center’s 2004 Annual. Report states, “In every way, the next twenty years will bring more of everything. More threats, more attacks, more resources at risk, more interconnection, more communication, more emergencies.” It is hard to say if we are at the high tide of computer crime and can expect levels to drop in the future, or whether cybercrime will increase even further. What we can say is that as long as people use computers, criminals will attack them.

 

Information security department must guarantee computer isn’t broken in effort of prevent crime. The mode of protect information system likes an onion. The first guarantee is every user doesn't assume responsibility of no authorization access. The second guarantee is state or nation provides legislation .The third guarantee is protect some national boundaries and international market .With the establishment of computer market, worldwide information system security problem can't be resolved by domestic law, but need the international cooperation to protect information system security.

 

References文献参考

Quist, Arvin S. (2002). "Security Classification of Information" (HTML). Volume 1. Introduction, History, and Adverse Impacts. Oak Ridge Classification Associates, LLC. Retrieved on 2007-01-11.

ISACA (2006). CISA Review Manual 2006. Information Systems Audit and Control Association, p. 85. ISBN 1-933284-15-3. 

Harris, Shon (2003). All-in-one CISSP Certification Exam Guide, 2nd Ed., , CA: McGraw-Hill/Osborne. 0-07-222966-7. #p#分页标题#e#

Angell, I.O. and Smithson S. (1991) Information Systems Management: Opportunities and Risks

Federal Standard 1037C, MIL-STD-188, and National Information Systems Security Glossary

Rockart et. Al (1996) Eight imperatives for the new IT organization Sloan Management review.

Langefors, Börje (1973). Theoretical Analysis of Information Systems. Auerbach. ISBN 0-87769-151-7. 

Ciborra, C. (2002) Labyrinths of Information, Oxford, Oxford University Press

California High Technology Crime Advisory Committee (CHTCAC) 2000, Annual Report on High Technology Crime in California, California High Technology Crime Advisory Committee,Sacramento, CA.

Council of Europe (COE) 2000, European Committee on Crime Problems (CDPC) Committee of Experts on Crime in Cyberspace (PC-CY) Draft Convention on Cybercrime (Draft No. 24 Rev.2), Dancer, H. 2000, ‘K2 uncovers GST keyhole’, The Bulletin, 11 July, p.76.

Deloitte Touche Tohmatsu & Victoria Police 1999, Computer Crime & Security Survey, Deloitte

James, L. & Cooper, J. 2000, ‘Organised exploitation of the information super-highway’, Jane’s Intelligence Review, July, pp.52-55.

Washington, DMarch 2000.

United Nations Asia and Far East Institute for the Prevention of Crime and the Treatment of

Offenders (UNAFEI) 2000, Crimes Related to the Computer Network: Challenges of the Twenty-first Century, April, Tokyo.

Van Dijk, S. 2000, ‘GST rush at Tax Office exposes security neglect’,Computerworld, Vol.24 No.2, 10 July, pp.1 & 3.

Walker, J. 1997, ‘Estimates of the costs of crime in Australia in 1996’, Trends and Issues, No.72,

Weiss, T. 2000, ‘Microsoft says it tracked intruder for 12 days’, Computerworld, Vol.24 No.18, p.3.

 

本文出自英国dissertation网，如需转载请注明出处：http://www.ukthesis.org/xxhzsglzy/