Keamanan Sistem (CNG4O3)

Keamanan Sistem (CNG4O3)
2014-2
02 – Keamanan Informasi
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
The Computing Technology
Industry Association (CompTIA)
Security+ certification is a
vendor-neutral credential
internationally recognized as
validating a foundation level of
security skills and knowledge
11.
12.
13.
14.
Introduction to Security
Malware and Social Engineering
Attacks
Application and Network Attacks
Vulnerability Assessment and
Mitigating Attacks
Host, Application, and Data
Security
Network Security
Administering a Secure Network
Wireless Network Security
Access Control Fundamentals
Authentication and Account
Management
Basic Cryptography
Advanced Cryptography
Business Continuity
Risk Mitigation
http://www.symantec.com/security_response/publications/threatreport.jsp
http://www.idsirtii.or.id/tahunan/tahun/2013.html
Information Security positions
InfoSec managerial positions
• include the administration and
management of plans, policies, and people.
InfoSec technical positions
• concerned with the design, configuration,
installation, and maintenance of technical
security equipment
Solution to securing computers:
•using a better software product
•creating a stronger password
http://www.innovationexcellence.com/blog/2012/10/25/understanding-complexity-and-what-to-do-about-it/
“Security” ≈
the necessary steps to protect a
person or property from harm.
• That harm may come primarily from two different
sources:
• A direct action that is intended to inflict damage or
suffering.
• An indirect and nonintentional action.
Security usually includes …
preventive
measures
preemptive
attacks (in
some
instances)
rapid
response
“Information Security” ≈
the tasks of securing information that
is in a digital format
manipulated by a microprocessor
stored on a storage device
transmitted over a network
Information Security
creates a defense that
attempts to ward off attacks
and prevents the collapse of
the system when a
successful attack occurs
3 primary protections
another set of protections
Authenti
cation
Authoriz
ation
Accounti
ng
information security is that which protects
the integrity, confidentiality, and availability
of information on the devices that store,
manipulate, and transmit the information
through products, people, and procedures.
Terminologies
• “How much risk can we tolerate?”
• Risk = Threat x Vulnerability x Cost
• Three options when dealing with
risks:
• accept the risk
• diminish the risk
• transfer the risk
http://www.oncallinternational.com/blog/travel-risk-management-5-steps-protecting-traveling-employees/
Who Are the Attackers?
• Hackers: {white-hat, black-hat} “attackers”
• Script kiddies: using automated attack software
• Computer spy: hired to attack a specific computer or
system that contains sensitive information
• Insiders: mostly sabotage and theft of intellectual
property
• Cybercriminals: network of attackers, identity thieves,
spammers, and financial fraudsters
• Cyberterrorists: attack a nation’s network and
computer infrastructure to cause panic among citizens
Steps of an Attack
(typical)
Five fundamental security
principles
Layering
Diversity
Limiting
Simplicity
Obscurity
Layering
http://www.ackengineeringltd.com/security.php
http://patientsafetyed.duhs.duke.edu/module_e/swiss_cheese.html
http://www.planetware.com/london/tower-of-london-eng-l-tl.htm
Limiting
• Limiting access to information reduces the threat
against it.
• What level of access should users have?
The best answer is the least amount necessary to
do their jobs, and no more.
http://www.tntmagazine.com/london/events/a-royal-summer-the-arrival-of-prince-george-the-opening-of-buckingham-palace-and-more-london-events-to-get-you-swept-up-in-royal-fever/page/2
Diversity
• The layers must also be different (diverse)
• If attackers penetrate one layer, they cannot use
the same techniques to break through all other
layers
http://www.loveindonesia.com/news/en/news/detail/7791/benteng-aleppo-saksi-kehebatan-arsitektur-islam-1
Obscurity
• Security by obscurity: obscuring to the outside
world what is on the inside makes attacks that
much more difficult.
• not revealing the type of computer, version of
operating system, or brand of software that is used
http://thedailyomnivore.net/2013/01/28/security-through-obscurity/
Simplicity
• Complex security systems can be hard to
understand, troubleshoot, and even feel secure
about.
• As much as possible, a secure system should be
simple for those on the inside to understand and
use.
• Challenge: keeping a system simple from the inside,
but complex on the outside
Hands-On: Use an EULA Analyzer
• Find an end-user license agreements of any program.
Exp: Microsoft Windows’ EULA.
• Go to: www.spywareguide.com/analyze/analyzer.php
• Copy & paste the EULA text under “Paste license here:”
• Be sure that “Detailed analysis” is selected
• After the analysis is completed, scroll down through the
document and note the instances of Reference to
tracking or monitoring. Do you agree with these
conditions?
• Play around with other EULA.