managing information resources and securitylecturer.ukdw.ac.id/anton/download/amti13.pdf ·...
TRANSCRIPT
Managing Information Resources and SecurityResources and Security
Antonius Rachmat C, S.Kom, M.CsAMTI
Security & Information resource… the protection of computing systems and the data that they store or
access...
• Stores in:– Desktop computers – Laptop computers – Servers – Servers – Blackberries – Flash drives
• DATA:– Confidential data– Restricted data– Databases– Personal information– Archives
'Information is an asset which, like otherimportant business assets, has value toan organization and consequently needsto be suitably protected’
BS ISO 27002:2005
IS are People, Processes, Technology, Policies, Procedures
Komponen Security (CIA-AN)
• Confidentiality : akses terhadap sistem komputer tidak boleh dilakukan oleh unauthorized parties
• Integrity : aset sistem komputer tidak boleh dimodifikasioleh unauthorized users
• Availability : Sistem harus dapat selalu online/adasehingga dapat diakses oleh authorized users
• Availability : Sistem harus dapat selalu online/adasehingga dapat diakses oleh authorized users
Tambahan• Authenticity : sistem mengetahui asal muasal suatu
objek atau asal muasal modifikasi yang terjadi• Non-repudiation : seseorang/sesuatu tidak dapat
menyanggah bahwa dia melakukan sesuatu
Ancaman• Ancaman (threat ) adalah:
– Seseorang, sesuatu, kejadian atau ide yang menimbulkan bahaya bagi suatu aset
– Threat muncul dari vulnerability (kelemahan sistem & desain)– A system’s vulnerability is the possibility that the system will
suffer harm by a threat.
• Serangan (attack ) adalah realisasi dari threat.• Klasifikasi threats:
– Disengaja (mis. hacker penetration);– Tidak disengaja (mis. Mengirimkan file yang sensitif ke alamat
yang salah)
• Threats yang disengaja dapat dibagi lagi :– Pasif – tidak kontak langsung (mis. monitoring, wire-tapping,);– Aktif – kontak langsung (mis. mengubah nilai transaksi finansial)
Istilah
• Aset : data berharga yang potensial untuk dicuri
• Exploit : penyerangan • Risk : potensi pencurian data• Risk : potensi pencurian data• Threat agent : pencuri data
– Virus, hacker, spy, teroris
Relationship between Risk, Threats, and Vulnerabilities
Threats Vulnerabilitiesexploit
* Controls: A practice, procedure or mechanism that reduces risk
Risk
Asset valuesProtection Requirements
Information assets
Controls *reduce
Threats
• Human errors can occur in the design of the hardware and/or information system.– Also can occur in programming, testing, data
collection, data entry, authorization and procedures.
• Environmental hazards include earthquakes, • Environmental hazards include earthquakes, severe storms, floods, power failures or strong fluctuations, fires (most common hazard), explosions, …etc.
• Computer system failures can occur as the result of poor manufacturing or defective materials.
Threat Sources
Source Motivation Threat
External Hackers
Challenge Ego Game Playing
System hacking Social engineering Dumpster diving
Internal Hackers
Deadline Financial problems Disenchantment
Backdoors Fraud Poor documentation
TerroristRevenge Political
System attacks Social engineering Letter bombs Viruses Denial of service
Poorly trained employees
Unintentional errors Programming errors Data entry errors
Corruption of data Malicious code introduction System bugs Unauthorized access
No Categories of Threat Example
1 Human Errors or failures Accidents, Employee mista kes
2 Compromise to Intellectual Property Piracy, Copyrig ht infringements
3 Deliberate Acts or espionage or trespass
Unauthorized Access and/or data collection
4 Deliberate Acts of Information extortion Blackmail of information exposure / disclosure
5 Deliberate Acts of sabotage / vandalism Destructio n of systems / information
6 Deliberate Acts of theft Illegal confiscation of eq uipment or informationinformation
7 Deliberate software attacks Viruses, worms, macros Denial of service
8 Deviations in quality of service from service provider
Power and WAN issues
9 Forces of nature Fire, flood, earthquake, lightenin g
10 Technical hardware failures or errors Equipment fai lures / errors
11 Technical software failures or errors Bugs, code pr oblems, unknown loopholes
12 Technological Obsolence Antiquated or outdated technologies
Tujuan Security
• Prevention - Penjagaan– Prevent attackers from violating security
policy
• Detection - Deteksi• Detection - Deteksi– Detect attackers’ violation of security policy
• Recovery - Mereparasi– Stop attack, assess and repair damage– Continue to function correctly even if attack
happen
1. Protects information from a range of threats2. Ensures business continuity3. Minimizes financial loss4. Optimizes return on investments
TUJUAN INFORMATION SECURITY
4. Optimizes return on investments5. Increases business opportunities
Business survival depends on information security.
• Information Security is “Organizational Problem” rather than “IT Problem”
• More than 70% of Threats are Internal
• More than 60% culprits are First Time
Kenyataannya
• More than 60% culprits are First Time fraudsters
• Biggest Risk : People
• Biggest Asset : People
• Social Engineering is major threat
Beberapa istilah keamanan
• Cybercrimes are fraudulent activities committed using computers and communications networks, particularly the Internet.
• Hacker– Salah satu buku yang pertama kali membahas
hacker: “Hackers: Heroes of the Computer – Salah satu buku yang pertama kali membahas
hacker: “Hackers: Heroes of the Computer Revolution” oleh Steven Levy
• Mr. Levy menyatakan istilah hacker pertama kali muncul di Massachusetts Institute of Technology (MIT)
– Hacker : pakar programmer yang dapat mendeteksi kerawanan suatu program dari segi keamanan, tetapi tidak memanfaatkannya untuk tujuan menguntungkan diri sendiri atau pihak lain
Beberapa istilah
• Cracker/intruder : pakar programmer (bisa jadi juga tidak perlu pakar) yang memanfaatkan kelemahan suatu program untuk keuntungan diri sendiri atau pihak untuk keuntungan diri sendiri atau pihak lain
• Script Kiddie– Crackers yang menggunakan scripts dan
program yang ditulis oleh orang lain
Beberapa Istilah
• Phreak– Variant dari hacker – Phreak adalah kependekan dari phone phreak– Phreaks adalah hacker yang memiliki minat pada
telepon dan sistem telepontelepon dan sistem telepon
• White Hat/Black Hat– White Hat : good hacker– Black Hat : bad hacker– Grey Hat : good/bad
Beberapa istilah
• Cyberterrorism is a premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence against noncombatant targets by sub national groups or clandestine agents.by sub national groups or clandestine agents.
• Cyberwar . War in which a country’s information systems could be paralyzed from a massive attack by destructive software.
Privacy
• Privacy . The right to be left alone and to be free of unreasonable personal intrusions.
• Two rules have been followed fairly closely in past court decision in many countries:– The right of privacy is not absolutes. Privacy must be
balanced against the needs of society – The right of privacy is not absolutes. Privacy must be
balanced against the needs of society – The public’s right to know is superior to the
individual’s right of privacy.
• Electronic Surveillance . The tracking of people‘s activities, online or offline, with the aid of computers.– Contoh: Knight Rider?
Compromises to Intellectual Property
• Intellectual property . Property created by individuals or corporations which is protected under trade secret, patent, and copyright laws.
• Patent. Document that grants the holder exclusive rights on an invention or process for 20 years.exclusive rights on an invention or process for 20 years.
• Copyright. Statutory grant that provides creators of intellectual property with ownership of the property for life of the creator plus 70 years.
• Piracy. Copying a software program without making payment to the owner.
Tahapan penyerangan
• Reconnaissance– Mengumpulkan data mengenai target
• Aktif dan pasif
• Scanning– Tanda dimulainya serangan, berusaha mencari jalan masuk
• Gaining access• Gaining access– Mendapatkan target
• Maintaining access– Mempertahankan akses dgn berbagai cara termasuk
menanamkan program dan memperbaiki kelemahan
• Covering tracks– Menutupi jejak mereka
Level Serangan
• Level Sistem Operasi– Patch & upgrade
• Level aplikasi– Patch, Antivirus & Upgrade– Patch, Antivirus & Upgrade
• Level Shrink Wrap code– Menggunakan program2 bantu untuk
serangan
• Level Kesalahan konfigurasi
Beberapa Jenis Serangan/Gangguan
• Serangan untuk mendapatkan akses (access attacks)– Berusaha mendapatkan akses ke berbagai sumber daya
komputer atau data/informasi
• Serangan untuk melakukan modifikasi (modification attacks)attacks)– Didahului oleh usaha untuk mendapatkan akses, kemudian
mengubah data/informasi secara tidak sah
• Serangan untuk menghambat penyediaan layanan (denial of service attacks)– Menghambat penyediaan layanan dengan cara mengganggu
jaringan komputer
Password
• Menebak password– Dilakukan secara sistematis– Teknik brute-force:
• mencoba semua kemungkinan password
– Teknik dictionary: – Teknik dictionary: • mencoba dengan koleksi kata-kata yang umum dipakai, atau
yang memiliki relasi dengan user yang ditebak (tanggal lahir, nama anak, dsb)
Software Attacks
• Malicious software (malware) designed to damage, destroy, or deny service to the targeted systems.
• Most common types of software attacks are • Most common types of software attacks are viruses, worms, Trojan horses, logic bombs, back doors, denial-of-service, alien software, phishing and pharming.
Software Attacks (Continued)
• Viruses. Segments of computer code that performs unintended actions ranging from merely annoying to destructive.
• Worms. Destructive programs that replicatethemselves without requiring another program to themselves without requiring another program to provide a safe environment for replication.
• Trojan horses. Software progams that hide in other computer programs and reveal their designed behavior only when they are activated.
Software Attacks (Continued)
• Logic bombs. Designed to activate and perform a destructive action at a certain time.
• Back doors or trap doors. Typically a • Back doors or trap doors. Typically a password, known only to the attacker, that allows access to the system without having to go through any security.
Alien Software
• Pestware software that uses up valuable system resources and can report on your Web surfing habits and other personal information.
• Adware. Designed to help popup • Adware. Designed to help popup advertisements appear on your screen.
• Spyware. Software that gathers user information through the user’s Internet connection without their knowledge (i.e. keylogger, password capture).
Alien Software (Continued)
• Spamware. Designed to use your computer as a launch pad for spammers.
• Spam. Unsolicited e-mail, usually for purposes of advertising.of advertising.
• Cookies. Small amount of information that Web sites store on your computer, temporarily or more-or-less permanently.
Alien Software (Continued)
• Web bugs. Small, usually invisible, graphic images that are added to a Web page or e-mail.
• Phishing. Uses deception to fraudulently acquire sensitive personal information such as account numbers and passwords disguised as an official-looking e-mail. account numbers and passwords disguised as an official-looking e-mail.
• Pharming. Fraudulently acquires the Domain Name for a company’s Web site and when people type in the Web site url they are redirected to a fake Web site.
Peminjaman lewat URL
<IMG SRC=“tempat.yang.dipinjam/gambarku.gif”>
• Gambar / image / berkas tidak dikopi tapi “dipinjam” melalui hyperlink
• Pemilik berkas dapat dirugikan: bandwidthterpakai
• Auditing sulit dilakukan pemakai biasa, tanpa akses ke berkas log (referrer )
Kelemahan security pada Kelemahan security pada aplikasi webaplikasi web
Berikut adalah 10 kelemahan security teratas pada aplikasi web
�Masukan (input) yang tidak tervalidasiBroken Access Control� Broken Access Control
� Pengelolaan Autentikasi dan Session yang tidak baik� Cross site scripting� Buffer overflows� Injections flaws� Penyimpanan data yang tidak aman� Denial of Service pada server� Pengelolaan konfigurasi yang tidak aman
U
S
E
R
R
E
S
P
O
N
S
Access Control - Physical
• Follow Security Procedures
• Wear Identity Cards and Badges
• Ask unauthorized visitor his credentials
• Attend visitors in Reception and Conference Room only
S
I
B
I
L
I
T
I
E
S
• Bring visitors in operations area without priorpermission
• Bring hazardous and combustible material in securearea
• Bring and use pen drives, zip drives, ipods, other storagedevices unless and otherwise authorized to do so
U
S
E
R
R
E
S
P
O
N
S
Password Guidelines
� Always use at least 8 character password with combination ofalphabets, numbers and special characters (*, %, @, #, $, ^)
� Use passwords that can be easily remembered by you
� Change password regularly as per policy
� Use password that is significantly different from earlier passwords
S
I
B
I
L
I
T
I
E
S
�Use passwords which reveals your personal information or words found in dictionary
�Write down or Store passwords
�Share passwords over phone or Email
�Use passwords which do not match above complexity criteria
U
S
E
R
R
E
S
P
O
N
S
� Do not access internet through dial-up connectivity
� Do not use internet for viewing, storing or transmittingobscene or pornographic material
� Do not use internet for accessing auction sites
� Use internet services for business purposes only
Internet Usage
S
I
B
I
L
I
T
I
E
S Technology Department is continuously monitoring InternetUsage. Any illegal use of internet and other assets shall callfor Disciplinary Action
� Do not use internet for accessing auction sites
� Do not use internet for hacking other computer systems
� Do not use internet to download / upload commercialsoftware / copyrighted material
U
S
E
R
R
E
S
P
O
N
S
E-mail Usage
�Use official mail for business purposes only�Follow the mail storage guidelines to avoid blocking of E-mails� If you come across any junk / spam mail, do the following
a) Remove the mail.b) Inform the security help deskc) Inform the same to server administratord) Inform the sender that such mails are undesired
S
I
B
I
L
I
T
I
E
S
� Do not use official ID for any personal subscription purpose� Do not send unsolicited mails of any type like chain letters or E-mail Hoax
� Do not send mails to client unless you are authorized to do so� Do not post non-business related information to large number of users
� Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender
Controls• General controls. Established to protect the system regardless of
their application.– Physical controls. Physical protection of computer facilities and
resources.– Access controls. Restriction of unauthorized user access to
computer resources; use biometrics and passwords controls for user identification.user identification.
• Network controls:– Firewalls. System that enforces access-control policy between two
networks.– Encryption. Process of converting an original message into a form that
cannot be read by anyone except the intended receiver.• Application controls. Controls that protect specific applications and
include: input, processing and output controls.
Controls (Continued)
• Information systems auditing. Independent or unbiased observers task to ensure that information systems work properly.
• Types of Auditors and Audits– Internal. Performed by corporate internal auditors.– Internal. Performed by corporate internal auditors.– External. Reviews internal audit as well as the
inputs, processing and outputs of information systems.
Disaster Recovery Planning
• Disaster recovery. The chain of events linking planning to protection to recovery, disaster recovery plan.
• Disaster avoidance. Oriented towards • Disaster avoidance. Oriented towards prevention, uninterrupted power supply (UPS).
• Hot sites. External data center that is fully configured and has copies of the organization’s data and programs.
Ethical Hacker – CEH
• Seorang hacker yang memang disewa oleh suatu perusahaan untuk menerobos / meng-hack perusahaan tersebut demi memperoleh kelemahan & meningkatkan keamanannya– Bekerja layaknya dokter
• Harus menandatangani NDA (NonDisclosure • Harus menandatangani NDA (NonDisclosure Agreement)
• Hacking Testing:– Whitebox: menjadi org dalam perusahaan– Blackbox: menjadi org luar perusahaan– Greybox: menjadi org dalam perusahaan tapi dgn
akses terbatas