Thông tin tài liệu
Internet and Intranet Security Management: Risks and
Solutions
Lech Janczewski
University of Auckland, New Zealand
Senior Editor:
Mehdi Khosrowpour
Managing Editor:
Jan Travers
Copy Editor:
Brenda Zboray Klinger
Typesetter:
Tamara Gillis
Cover Design:
Connie Peltz
Printed at:
BookCrafters
Published in the United States of America by Idea Group Publishing
1331 E. Chocolate Avenue
Hershey PA 17033-1117
Tel: 717-533-8845
Fax: 717-533-8661
E-mail: cust@idea-group.com
http://www.idea
-
group.com
and in the United Kingdom by
Idea Group Publishing
3 Henrietta Street
Covent Garden
London WC2E 8LU
Tel: 171-240 0856
Fax: 171-379 0609
http://www.eurospan.co.uk
Copyright © 2000 by Idea Group Publishing. All rights reserved. No part of this book may be
reproduced in any form or by any means, electronic or mechanical, including photocopying, without
written permission from the publisher.
Library of Congress Cataloging-in-Publication Data
Janczewski, Lech, 1943-
Internet and intranet security management: risks and solutions / Lech Janczewski.
p. cm.
Includes bibliographical references and index.
ISBN 1-878289-71-3
1. Internet (Computer network)—Security measures. 2. Intranets (Computer
networks)—Security measures. 3. Computers—Access control. 4. Cryptography. I.
Title.
TK5105.875.I57 J358 2000
005.8
—
dc21 00
-
022538
British Cataloguing in Publication Data
A Cataloguing in Publication record for this book is available from the British Library.
NEW
from Idea Group Publishing
__
Instructional and Cognitive Impacts of Web-Based Education
Bev Abbey, Texas A&M University/ISBN: 1
-
878289
-
59
-
4
__
Web-Based Learning and Teaching Technologies: Opportunities and Challenges
Anil Aggarwal, University of Baltimore/ISBN: 1
-
878289
-
60
-
8
__
Health-Care Information Systems: Challenges of the New Millennium
Adi Armoni, Tel Aviv College of Management/ISBN: 1
-
878289
-
62
-
4
__
Evaluation and Implementation of Distance Learning: Technologies, Tools and Techniques
France Belanger, Virginia Polytechnic Institute; Dianne H. Jordan, Booz Allen & Hamilton/ISBN: 1-
878289
-
63
-
2
__
Human Centered Methods in Information Systems: Current Research and Practice
Steve Clarke and Brian Lehaney, University of Luton Business School/ISBN: 1
-
878289
-
64
-
0
__
Managing Healthcare Information Systems with Web
-
Enabled Technologies
Lauren Eder, Rider University/ISBN: 1
-
878289
-
65
-
9
__
World Libraries on the Information Superhighway: Preparing for the Challenges of the Next
Millennium
Patricia Diamond Fletcher, University of Maryland Baltimore County
John
Carlo Bertot, University at Albany, State University of New York/ISBN: 1
-
878289
-
66
-
7
__
Social Dimensions of Information Technology: Issues for the New Millennium
G. David Garson, North Carolina State University/ISBN 1
-
878289
-
86
-
1
__
Object Oriented Technologies: Opportunities and Challenges
Rick Gibson, American University/ISBN 1
-
878289
-
67
-
5
__
Process Think: Winning Perspectives for Business Change in the Information Age
Varun Grover & William Kettinger, University of South Carolina ISBN: 1
-
878289
-
68
-
3
__
Community Informatics: Enabling Communities with Information & Communications
Technologies
Michael Gurstein, University College of Cape Breton/ISBN: 1
-
878289
-
69
-
1
__
A Primer for Disaster Recovery Planning in an IT Environment
Charlotte Hiatt, California State University, Fresno/ISBN: 1
-
878289
-
81
-
0
__
Information Technology Standards and Standardization: A Global Perspective
Kai Jakobs, Technical University of Aachen/ISBN: 1
-
878289
-
70
-
5
__
Internet and Intranet Security, Management, Risks and Solutions
Lech Janczewski, University of Auckland/ISBN: 1
-
878289
-
71
-
3
__
Managing Web-Enabled Technologies in Organizations: A Global Perspective
Mehdi Khosrowpour, Pennsylvania State University/ISBN: 1
-
878289
-
72
-
1
__
Distance Learning Technologies: Issues, Trends and Opportunities
Linda Lau, Longwood College/ISBN: 1
-
878289
-
80
-
2
__
Knowledge Management and Virtual Organizations
Yogesh Malhotra, Florida Atlantic University/ISBN: 1
-
878289
-
73
-
X
__
Case Studies on Information Technology in Higher Education: Implications for Policy and
Practice
Lisa Ann Petrides, Columbia University/ISBN: 1
-
878289
-
74
-
8
__
Auditing Information Systems
Mario Piattini, University de Castilla
-
La Mancha/ISBN: 1
-
878289
-
75
-
6
__
Electronic Commerce: Opportunity and Challenges
Syed Mahbubur Rahman, Monash University & Mahesh S. Raisinghani, University of Dallas ISBN:
1
-
878289
-
76
-
4
__
Internet-Based Organizational Memory and Knowledge Management
David G. Schwartz, Bar-Ilan University; Monica Divitini, Norwegian University of Science and
Technology; Terje Brasethvik, Norwegian University of Science and Technology
__
Organizational Achievement and Failure in Information Technology Management
Mehdi Khosrowpour, Pennsylvania State University/ISBN: 1
-
878289
-
83
-
7
__
Challenges of Information Technology Management in the 21st Century
Mehdi Khosrowpour, Pennsylvania State University/ISBN: 1
-
878289
-
84
-
5
Excellent additions to your library!
Receive the Idea Group Publishing catalog with descriptions of these books by calling, toll free
1/800
-
345
-
4332 or visit the IGP web site at:
http://www.idea
-
group.com
!
TABLE OF CONTENTS
Preface
i
Part I: State of the Art
1
Jonathan W. Palmer, University of Maryland, USA
Jamie Kliewer and Mark Sweat, University of Oklahoma, USA
Chapter 1
Security Risk Assessment and Electronic Commerce A Cross-Industry
Analysis
2
Jairo A Gutierrez, University of Auckland, NZ
Chapter 2
Securing the Internet in New Zealand: Threats and Solutions
24
Part II: Managing Intranet and Internet Security
38
Dieter Fink, Edith Cowan University, Australia
Chapter 3
Developing Trust for Electronic Commerce
39
Lech Janczewski, University of Auckland, NZ
Chapter 4
Managing Security Functions Using Security Standards
81
Fredj Dridi and Gustaf Neumann University of Essen, Germany
Chapter 5
Managing Security in the World Wide Web: Architecture, Services and
Techniques
106
Part III: Cryptography and Technical Security Standards
140
Henry B. Wolfe, University of Otago, NZ
Chapter 6
Cryptography: Protecting Confidentiality, Integrity and Availability of
Data
141
Dieter Gollmann, Microsoft Research, UK
Chapter 7
Foundations for Cryptography
163
Chris Mitchell, University of London, UK
Chapter 8
Developments in Security Mechanism Standards
185
Part IV: Security and the Law
247
Charles Prysby, University of North Carolina, USA
Nicole Prysby, Attorney at Law, Virginia, USA
Chapter 9
Electronic Mail, Employee Privacy and the Workplace
251
Gehan Gunasekara, University of Auckland, NZ
Chapter 10
Protecting Personal Privacy in Cyberspace: The Limitations of Third
Generation Data Protection Laws Such as the New Zealand Privacy Act
1993
271
About the Authors
296
PREFACE
In information security, as in all areas of information technology, knowledge and practice is
advancing rapidly. There is a need for up-to-date material, but the rate of change is so great that a
textbook only a few years old will already be obsolete. Covering the most important changes in the
field of information security to produce an updated text before it becomes obsolete is a lot to ask of
one author, so we have asked several, each expert in their own speciality, to complete one chapter.
Overlaps are minimal, but chapters are substantially independent. Readers can, therefore, either
follow the text from the beginning to end, or pursue only their special interests without having to read
the whole text.
The book is divided into four separate parts:
Part I—
State of the Art
Here major issues concerning development of Internet and intranet are discussed. To present a
balanced, world perspective, two points of view have been included: from the United States (J.
Palmer et al
) and from a much smaller country, New Zealand (J. Gutierrez). Despite their different
situations both countries face surprisingly similar information security problems.
Interestingly, system malfunctions rather than hackers and similar unwelcome characters are still
considered to be the greatest security threats.
Part II—
Managing Intranet and Internet Security
Three authors discuss issues related to efficient management of the security of distributed systems.
Electronic commerce requires not only technology but also people trusting this method of doing
business. In his chapter Dieter Fink discusses the components of trust for electronic commerce and
the methods of building and sustaining it.
The foundation of every security system is the information security policy (ISP). Lech Janczewski
presents a method to allow rapid creation of an effective ISP. A variety of documents that standardise
development and assessment of information security functions are discussed.
Fredj Dridi
and Gustaf Neuman
present an overview of Internet security issues with special emphasis
on Web security. An architecture is presented in which security services are built to protect against
threats and to achieve information security for networked systems. Basic security protocols like
IPSec, SSL, Secure HTTP, and others are also presented.
Part III—
Cryptography Methods and Standards
Cryptography is the major technique allowing secure transport of data through insecure environments
and secure storage of data. In this part three authors discuss a number of important issues related to
cryptography:
Export of cryptography is restricted by a number of national and international agreements. Henry Wolfe
in his chapter describes and discusses these restrictions. In his opinion, it is impossible to enforce these
restrictions and they should be abolished. To allow a smooth introduction to more technically
challenging issues discussed later in the book, Dr. Wolfe presents a short description of the most
popular types of ciphers.
Adequate security requires not only implementation of powerful cryptography (for instance the
development of a DES replacement), but also an adequate solution for successful cryptography
deployment. These issues are discussed by
Dieter Gollmann
.
In the final chapter of Part III, Chris Mitchell outlines the major standards regulating cryptographic
methods. The OSI security architecture, DES, Message Authentication Codes, Digital Signatures,
Hash Functions, and Key Management are presented
Part IV—
Security and The Law
It is not enough to understand information security merely in terms of technology (like PKI) and
psychology (trust). Understanding the law is also necessary. Technology is advancing so rapidly that
law makers can't keep up and changes, which are often inconsistent, are made in haste. Issues such as
the rights of an employee to keep data on his/her computer at work private, are not well understood.
These issues are discussed by
Charles
and
Nicole Prysby
.
As professionals living in the USA, Charles and Nicole Prysby have an American viewpoint. To give
the reader a wider perspective the last chapter of this book, written by G. Gunasekara from Auckland,
presents similar issues in a New Zealand context.
Acknowledgments
The project could not have been successfully concluded without each author's contributions, and to
each I give my heartfelt thanks. I feel privileged to call them my friends, a friendship that was tested
by this project. The test must have been passed
—
they are still willing to talk to me.
Special thanks are due to Jan Travers from Idea Group Publishing for her help in advising me how to
solve multiple problems and providing encouragement and to Robert Barnes for useful suggestions
on how to organise the content.
There are many other people who deserve my gratitude for their inspirations, comments, and other
forms of help. Professor Andrew Targowski from Western Michigan University gave me the decisive
push for this project, and my employer, the University of Auckland graciously allowed me to use
their facilities necessary for conducting the project. Finally, members of my family who survived my
emotional stress during the life span of this work.
LECH J. JANCZEWSKI
AUKLAND, NEW ZEALAND
[...]... directing security activities within a firm A six-level model is proposed that identifies the role of security policy, continuity planning, security tools, internal organizational management, and external impacts on the security and integrity of organizational information (see Figure 1) References Ahuja, Vijay Network & Internet Security Boston, MA: AP Professional, 1996 Andreessen, Marc ''Interoperable Security. "... published security policy 5.14 5.81 3.86 4.70 No I have access to an up-to-date copy of the firm's security policy 4.57 5.82 5.14 3.7 Tend I understand what is expected of me in the firm's security policy 5.29 5.45 4.71 4.70 No The firm's security policy is developed with input from a myriad of employees 3.20 4.80 4.00 3.63 No The security policy addresses all areas that I consider to be problematic security. .. addressing security risks (Ernst & Young, 1996) Expenditures on information security are correlated with deterrence of crime Key preventive activities include the number of hours dedicated to data security, disseminating information about penalties and acceptable usage practices by multiple means, clearly stating penalties for violations, and the proper use of security tools /solutions (Straub, 1990) Security. .. firm's security policy 4.92 4.76 No I understand what is expected of me in the firm's security policy 5.35 4.86 No The firm's security policy is developed with input from a myriad of employees 4.33 3.90 No The security policy addresses all areas that I consider to be problematic security areas 4.81 4.00 Tend The security policy clearly states what steps will be taken by employees in the event of a security. .. personal security activities Overview of Security Information security is an important aspect of a firm that deserves adequate attention One of the first stages in safeguarding corporate information is recognizing the importance of security Ninety-five percent of senior management labeled data security somewhat important to extremely important in a recent Ernst & Young study Nearly 80% of all organizations... another security asset Key Issues The concept of threats and components for risk assessment provides a systematic way to analyze given situations There are differing issues concerning security contingent on the types of information shared and relationships involved This chapter examines the three basic situations: internal, business-to-consumer, and business-to-business transaction issues Internal Security. .. continents use Internet services (U.S Department of Commerce, 1997) Currently, the most common use of the Web is for e-mail and advertisement; however, the Internet is quickly becoming a common communication tool in business, the average businessperson is quite familiar with many of the other benefits the Internet offers As an extension of their Internet use, many companies have implemented their own intranets... be used simultaneously They complement each other well, and SSL can be used as an underlying security protocol for S-HTTP (Kalakota and Whinston, 1996) Encryption standards and security protocols are all tools that enable the security of transactions and data exchange via the Internet Because of the increased security, some applications are already becoming more popular and new ones are constantly being... often act as the ''go-between" service for trading partners handling the exchange of their EDI documents VANs are also another alternative for security measures They take on a large portion of the security responsibility However, the overall shift of EDI in the business community seems to be drifting away from VANs and toward the Internet Still, the concept of outsourcing security solutions to organizations... protection Security implementation varied across the industries, with significant differences in access to the Internet, use of firewalls, virus Table 1 Differences between managers and other employees Security Policy 1 = Strongly Disagree, 4 = Neutral, 7 = Strongly Agree Others N = 15 Managers N Significant = 20 I am familiar with the firm's published security policy 5.35 4.78 No I have access to an up-to-date . 1 - 878289 - 70 - 5 __ Internet and Intranet Security, Management, Risks and Solutions Lech Janczewski, University of Auckland/ISBN: 1 - 878289 - 71 - 3 __ Managing Web-Enabled. publisher. Library of Congress Cataloging-in-Publication Data Janczewski, Lech, 194 3- Internet and intranet security management: risks and solutions / Lech Janczewski. p. cm. Includes. Baltimore/ISBN: 1 - 878289 - 60 - 8 __ Health-Care Information Systems: Challenges of the New Millennium Adi Armoni, Tel Aviv College of Management/ ISBN: 1 - 878289 - 62 - 4 __
Ngày đăng: 25/03/2014, 11:46
Xem thêm: internet & intranet security management - risks & solutions