information security awareness
Post on 15-Nov-2014
152 Views
Preview:
DESCRIPTION
TRANSCRIPT
Peran Keamanan Informasi di Tengah Pesatnya Perkembangan ICT
Universitas Al Azhar Indonesia
Jakarta – 10 Juni 2014
Digit Oktaviantohttp://digitoktavianto.web.id
digit dot oktavianto at gmail dot com
IT Security Enthusiast (Opreker)Member of Indonesian Honeynet ChapterMember OWASP Indonesian ChapterLinux Activist (KPLI Jakarta)IT Security Consultant
About Me
Perkembangan Industri IT
Source : http://www.forbes.com/powerful-brands/list/
“After compiling the list of fastest growing industries, there were some apparent trends. Each industry on the list experienced growth as a result of one or more of four drivers: Internet growth, environmental issues, cost cutting and evolving technology.”
Source : IBISWorld (global business intelligence leader specializing in Industry Market Research)
Mengapa Perkembangan Industri IT Sangat Pesat?
Internet growthEnvironmental issuesCost cutting Evolving technology
Faktor Pendukung
Marketing StrategyAdvertisementBusiness ModelDeliverables to CustomerWorking BehaviorChange of Mindset
Perubahan Paradigma Konvensional ke Era Modern
“Keamanan selalu berbading terbalik dengan kenyamanan. Semakin anda merasa nyaman, semakin anda tidak aman.”
(Anonymous)
Correlation?
Information Security Threat
Data BreachesSocial Media HackingMobile Device ThreatMalware and Advanced Persistent Threat
(APT)
Recent Trends
Electronic CrimesDisclosure Sensitive Information
(personal info, credit card, username and password)
Target :Online ShopSocial Media WebsitesGovernment Agency
Data Breach
Why oh Why?
Data Breaches
Data Breaches
Data Breaches
Data Breaches
Data Breaches
Purposes?Business competitionCampaignFor Fun (and Profit?)Ruin your life? (e.g. revenge?)Spying (Government, Agencies, Corporate)
Social Media Hacking
Social Media Hacking
Social Media Hacking
Social Media Hacking
Social Media Hacking
Social Media Hacking
Why? 6 Billion Mobile Subscribers on the Planet
(end of 2012)Little to no patch management for mobile &
Poor QA in the AppStoreFew anti-virus / anti-malware solutionsIncreasing malicious mobile applications and
mobile exploitation
Mobile Device Threat
Mobile Device Threat
Example :- Phishing SMS Link
Mobile Device Threat
Example :Fake App
Mobile Device Threat
Example :Virus / Malware Threat
Mobile Device Threat
What is APT?
World next publicly available comprehensive report on Advanced Persistent Threat
Provided by Mandiant (www.mandiant.com)It’s a nickname for a group that being
government sponsored for doing specific attack and specific purpose
China is the suspected government that sponsored the group
Malware and Advanced Persistent Threat (APT)
Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.
Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
Threat means the adversary is not a piece of mindless code. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.
(Taken from http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.html)
Malware and Advanced Persistent Threat (APT)
Political objectives that include continuing to suppress its own population in the name of "stability."
Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.
Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them.
Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces. The Report on Chinese Government Sponsored Cyber Activities addresses issues like these.
Malware and Advanced Persistent Threat (APT)
Malware and Advanced Persistent Threat (APT)
Malware and Advanced Persistent Threat (APT)
What should we do?
The Answer :
Information Security Awareness
Who?
IT Infrastructure (Sys Admin, Sys Engineer)Application (Developer, Analyst)End User
Information Security Awareness
Social Engineering | Because there is no Patch for Human Stupidity.
Information Security Awareness
Social Engineering simply means manipulating or tricking people to gain their trust in order to give up confidential information without them knowing it.
This leads in gathering confidential information, computer system access or fraud.
Social Engineering
1. Risk Analysis2. Risk Assessment3. Policy4. Procedure5. Standard
Infosec Awareness Requirement
1. A process to take the message to the user community to reinforce the concept that information security is an important part of the business process
2. Identification of the individuals who are responsible for the implementation of the security program
3. The ability to determine the sensitivity of information and the criticality of applications, systems and business processes
4. The business reasons why basic security concepts such as separation of duties, need-to-know, and least privilege must be implemented
5. That senior management supports the goals and objectives of the information security program
5 Key Elements Infosec Awareness Program
Q & A
FINISH
top related