GIST 8109 - Exam 2

What is intranet

Internal corporate network built using Internet and WWW standards that is protected from outside access by firewall.

Easy access for employees to data and resources.

What is extranet

External link to internal network for trusted 3rd party access

Methods to host a website

Register a domain name.

Host yourself or use a third-party service

Issues with hosting your own web site

PC will not be able to handle many users

ISP may not allow it

For a website that runs 24/7 with a lot of traffic —> needs to be hosted on a server

Components to host your own website

WAMP

• Windows compatible (or Linux - LAMP)

• Apache software for hosting

• MySQL database for web content

• PHP for writing dynamic web content

Disadvantages of using third-party hosting

Free hosting services can come with advertisements or limitations.

Otherwise costs money for efficiency, security, and storage space.

What is cloud computing

Provides users (from single to enterprise) computing capabilities from third-party centers.

Benefits of cloud computing

Shared resources (infrastructure, applications, data)

On demand service

Maximizes effectiveness

Disadvantages of cloud computing

Fiscal and environmental cost

Centralized point of failure

Data sovereignty concerns for sensitive data

Types of cloud computing

Infrastructure as a service (IaaS)

Platform as a service (PaaS)

Software as a service (SaaS)

What is IaaS

Physical or virtual machines

Large pools of resources in data centers

Users install OS and application software on cloud infrastructure

User billed on resources allocated and used

What is PaaS

IaaS + OS, any middleware and programming environment, web server, and database

User supplies additional applications (their own software for their specific needs) and data

What is SaaS

Cloud provides everything

User connects using thin client

Usually only needs web browser

Flat fee per user

Types of clouds

Private

• Internal to a single organization

• Portal for ArcGIS (like AGOL)

Hybrid

• Organization has their own private cloud, but uses a public cloud when extra resources needed

Community

• Shared by multiple organizations that share common concerns

Distributed

• Infrastructure is not at a single data center but located at various locations and connected in a single network

Intercloud

• Interconnected public clouds

Multicloud

• One user accesses multiple clouds

Benefits of multicloud

Different cloud providers/locations

Protection from disasters

More flexibility in resources available

What is a VPN

A Virtual Private Network uses a public network (usually internet) to connect multiple remote locations in a private network.

Secure, encrypted connections and clients need software installed and credentials to access.

Types of VPN

Mobile

• Endpoint of VPN not fixed but can roam across various public networks

• Additional software authenticates to changing networks without user having to reconnect

VPN on router

• Added for extra security when router is being accessed by multiple devices

OpenVPN

• Open source software to implement VPN

• Uses OpenSSL encryption

• Certificate or credentials

Steps of server virtualization

1. Start with a host server - actual hardware

2. Divide a physical server into multiple unique and isolated virtual servers by means of a software application

3. Host machine must be a powerful server with multiple CPUs, large amounts of RAM, large amounts of storage

4. Define virtual servers with specs

5. OS and applications can be installed as if it was real hardware

6. Each virtual server can be independently rebooted

Uses of server virtualiation

To create web servers, database servers, etc.

Pros of server virtualization

Less hardware costs

Less energy costs

Uses resources to fullest

Can be backed up and moved

No additional load on network

Cons of server virtualization

If host goes down, all virtual servers go down

What is desktop virtualization

Physical server hosts individual virtual desktops. A thin client device connects to the virtual desktop is only used for connection and peripherals. All applications run and data accessed are done on server.

Pros of desktop virtualization

Reduced hardware costs

Better security (if employee loses laptop, no company software or data lost)

Rapid deployment of new users

Cons of desktop virtualization

Can slow network considerably

Changes need to be made to network and transmission protocol to handle the additional load

What is application virtualization

Encapsulates application so it appears to run on local machine but is running on remote server. Virtualization layer replaces OS runtime environment.

Application is not aware that it is running in virtual environment.

5 components of security

Cybersecurity - process of applying security measures to ensure confidentiality, integrity, and availability of resources and data

Information security - defending info from unauthorized access, use, disclosure, disruption, modification, perusal…

Confidentiality - sensitive info must be protected and access should only be by authorized personnel

Integrity - ensure there is no tampering by unauthorized person, QA/QC processes must be in place so non-malicious error has not been introduced

Availability - resources and info must be available to those who need them and when needed, processes must be in place to protect from non-malicious events as well

Examples of security risks

Computer crime

Hacking - illegal access of computer networks to destroy, modify, or steal data

Backdoor - bypassing normal security controls

Denial of Service (DoS) attack

Direct and indirect access - modify operating system, install worms, download data, install listening devices

Eavesdropping - network traffic intercepted and decoded

Exploits - virus to exploit flaws in computer systems

Social engineering (phishing)

Thefts - hardware/software theft

Sabotage - physical, website, information destruction

Wardriving - hackers drive around with GPS enabled device to locate insecure wireless access points

Components of computer protection

Take security into account when designing a system

• Each part of the system only has privileges for its function

• Redundancy in security controls

• Audit trails

• Full disclosure of vulnerabilities

Methods of protection

Firewalls - controls incoming and outgoing network traffic

Intrusion detection system - detects suspicious traffic that makes it through the firewall (or attempts to get through), also watches for attacks from within system and records events —> triggers alarm

Authentication/passwords/biometrics

Anti-virus software

Types of firewalls

Packet filters

Application-layer

Proxies

Network Address Translation

(Commercial)

Detection methods of anti-virus software

Signature

Heuristic

Behavioural

Data mining

Problems with anti-virus software

Can impact performance

Doesn’t catch everything

Report false positives

Updated frequently

Cloud anti-virus software does most checking in cloud

Data transmission protection

Encryption software is needed to protect data that is transmitted wirelessly (Wireless Protect Access)

• Advanced Encryption Standard

• Counter Cipher Mode

• Block Chaining Method Authentication Code protocol (CCMP)

• WPA3 is the current standard (need WPA3 compatible router)

• WPA4 is upcoming

What are user roles

Levels of permissions/access to computer processes and data. Uses role-based access control (RBAC) or role-based security (RBS). Roles are hierarchical.

Where are user roles stored

Windows Active Directory - holds all info about objects that make up a domain, run on a Windows Server —> network that can have more than 1 domain and more than 1 server

Some interoperability with Unix/Linux

3 GIS security issues

Data security - data

System security - software

Cloud security - cloud

Methods for password storage

Browsers

Cloud Encrypted Managers

Local Encrypted Managers

5 parameters of system development

Scope

Cost

Time

Quality

User expectation

Who is involved in system development

Stakeholders

Project managers

System development specialists

Technical (GIS) specialists

Users

Vendors

Role of project managers in system development

Deliver solutions that meets scope, cost, time, quality, and expectations

Manage expectations of stakeholders

Coordinate people and resources

Ensures smooth, successful implementation

Technical, business, and people skills

Risk management

Contingency plans

Who are stakeholders in system development

Project steering team (Project champion, project sponsor, IT manager)

Users

Upper management of company

Goals of system development

IS goals must be in line with organizational goals

Organization must create a strategic plan that allows it to reach its goals

Organizational goals must be translated into system development intiatives

Components of system development intiatives

Identify the IS project

Set priorities

Analyze resource and deadlines

Set schedules

Create planning document

What is SDLC

System Development Life Cycle

Can be formalized or more ad-hoc, point is the create a plan that removes errors early in the process. The later an error is detected, the more expensive it is to remove

Types of SDLC

Traditional (waterfall)

Prototyping

Rapid Application Development (AGILE)

Traditional SDLC

Sequential multi-stage plan, each step must be completed before moving on with each step requiring a deliverable.

High degree of management control through documentation and directly linked through business needs. Documentation is expensive to produce and quickly goes out of date.

System developed is based on developers perceptions and not user needs.

Steps of traditional SDLC

Investigation - investigate request from organization and tests feasibility

Analysis - studies existing system to identify strengths and weaknesses, identifies team members, schedule, and budget

Design - how will the new system meet the desired goals, sets security, vendors, and requirements for hardware/software/networks

Construction - construction of hardware, software, programming/data

Integration and testing - tests all components work together in all environments and if system meets requirements, does the user accept it

Implementation - train users and switch to new system

Cutover

Switching from old to new system

Direct conversion

Phase-in approach

Pilot start-up

Parallel start-up

Prototyping SDLC

Iterative approach where each iteration ends with a prototype with feedback. The project is completed after many iterations.

Good when final result required is not fully known (creating a system that has never been developed before).

Constant communication between developers and users is needed.

Pros of prototyping

Users fully involved and positive reception

Early detection of errors

Training users as a part of development

May produce useful deliverables even if project runs out of time and money

Can be easily changed or discarded

Cons of prototyping

Each iteration may only be marginally better

Less phase reviews and documentation

May overlook disaster planning, performance, and security

Can have unrealistic schedule and budgeting requirements

Working prototype may make management think project is complete even if it isn’t close

Rapid Application Development SDLC

Speed up processes using tools, techniques, and methodology. Joint Application Design (JAD) or SCRUM brainstorming by all stakeholders.

Highly collaborative.

Process broken up into small sprints of collaborative work that lasts 1-4 weeks.

Pros of Rapid Application Development

Fast

Documentation produced as byproduct

Interaction between users and stakeholders

Progress can be measured by completed work

Bugs solved during each process, less chance of buggy final product

Good for rapidly changing tech

Cons of Rapid Application Development

Intense

Skill in agile techniques needed

Stakeholders and users commit more time

Final product may not be defined clearly and may be different from what was originally envisioned

What are critical success factors

Factors essential to ensure success.

What can go wrong without critical success factors

No leadership or direction

Scope of project is unclear

Expectations poorly managed

Insufficient user involvement

Organization not ready to change

Poor planning

Not enough money in budget