Keamanan Sistem Informasi Introduction and Concepts

Document Sample
Keamanan Sistem Informasi Introduction and Concepts Powered By Docstoc
					Keamanan Sistem Informasi
           Introduction and Concepts



     Widyawan
     Electrical Engineering Department
     Gadjah Mada University
Is not the mouse that is the thief, it is the hole that
                   let the mouse in

                     Babylonian Talmud, Tractate Baba Metzia




                   Keamanan Sistem Informasi - Widyawan
Learning Plan
   Topics:
       Introduction
       Security Concepts
       Security Process and Topologies
       Attack Strategies
       Security and TCP/IP
       Malicious Code
       Infrastructure and Connectivity
       Monitoring
       Cryptography
       Security Management
                    Keamanan Sistem Informasi - Widyawan
   Assessment
       25 % simulation/programming
       25 % paper and/or presentation
       50 % exam


   Book :
       Security+ Study Guide, Michael Pastore, Sybex
       Hacking Exposed, Scambray, Mc Graw Hill

                    Keamanan Sistem Informasi - Widyawan
   Paper and Presentation
       Disaster Recovery Plan
       Security Manual: a case study
       Securing Protocol and Services: why and what
       Protocol Specific security analysis
       DMZ
   Assistance
       Access Control
       How to: NAT and Protocol
   Simulation
       NAT
       Securing Protocol and Services

                      Keamanan Sistem Informasi - Widyawan
Course Philosophy

   We are not going to be able to cover
    everything
   Main goals
       Exposure to different aspects of security; meant
        mainly to get your interest
       The mindset of security
       Become familiar with basic crypto, acronyms
        (RSA, SSL, PGP, etc.), and “buzzwords”
       Security is a process, not a product
                    Keamanan Sistem Informasi - Widyawan
Crisis
   Internet has grown very fast and security has
    lagged behind.
   Legions of hackers have emerged as impedance to
    entering the hackers club is low.
   It is hard to trace the perpetrator of cyber attacks
    since the real identities are camouflaged
   It is very hard to track down people because of the
    ubiquity of the network.
   Large scale failures of internet can have a
    catastrophic impact on the economy which relies
    heavily on electronic transactions
                    Keamanan Sistem Informasi - Widyawan
Computer Crime: The
Beginning
   In 1988 a "worm program" written by a college
    student shut down about 10 percent of computers
    connected to the Internet. This was the beginning
    of the era of cyber attacks
   In 1994 a 16-year-old music student called Richard
    Pryce, better known by the hacker alias Datastream
    Cowboy, is arrested and charged with breaking into
    hundreds of computers including those at the
    Griffiths Air Force base, Nasa and the Korean
    Atomic Research Institute. His online mentor, "Kuji",
    is never found.

                    Keamanan Sistem Informasi - Widyawan
1995
   In February, Kevin Mitnick is arrested for a
    second time. He is charged with stealing
    20,000 credit card numbers. He eventually
    spends four years in jail and on his release
    his parole conditions demand that he avoid
    contact with computers and mobile phones.
   On November 15, Christopher Pile becomes
    the first person to be jailed for writing and
    distributing a computer virus. Mr Pile, who
    called himself the Black Baron, was
    sentenced to 18 months in jail
                 Keamanan Sistem Informasi - Widyawan
1999 and 2000
   In March, the Melissa virus goes on the rampage and wreaks
    havoc with computers worldwide. After a short investigation,
    the FBI tracks down and arrests the writer of the virus, a 29-
    year-old New Jersey computer programmer, David L Smith.
   In February, some of the most popular websites in the world
    such as Amazon and Yahoo are almost overwhelmed by
    being flooded with bogus requests for data.
   In May, the ILOVEYOU virus is unleashed and clogs
    computers worldwide. Over the coming months, variants of the
    virus are released that manage to catch out companies that
    didn't do enough to protect themselves.
   In October, Microsoft admits that its corporate network has
    been hacked and source code for future Windows products
    has been seen


                       Keamanan Sistem Informasi - Widyawan
Keamanan Sistem Informasi - Widyawan
Incidents in Indonesia
   Web Deface
       www.RedHat.or.id
       Satelindo.co.id
       Polri.go.id
       FKP.or.id
       BEJ, dst.
       http://www.2600.com
   Indonesia is no.2 for Carding
       E commerce embargo from Indonesians‟ IP
       Difficulties in IP administration

                   Keamanan Sistem Informasi - Widyawan
Why Information Security

   Information is an economic commodity
     asset that must be protected
   Internet open an isolated system to the
    world
   Security is placed in low priority (even
    for large enterprises)
   Security is people problem
                Keamanan Sistem Informasi - Widyawan
Security is a people problem
   Security is need because people don‟t behave the
    way we wish they would
   Reasons: crime, malice, curiosity, stupidity, …
   Security problems are here to stay
   Technical solutions can only address a part of the
    problem
   Technical measures have to be managed in a wider
    security culture
   Social engineering is a powerful attack method


                   Keamanan Sistem Informasi - Widyawan
Security is a process, not a
product
   You cannot solve your security problems
    once and for all and then sit back and relax
   IT systems keep changing
   Attackers are inventive
   Threats keep changing:
       new attacks, e.g. the latest Internet worm
       new security requirements, e.g. resilience
        against denial-of-service attacks
   Keep your defences up-to-date
                    Keamanan Sistem Informasi - Widyawan
Information Security (ISec)

   Covers wide array of activities in
    organization
   Include both product and process to prevent
    unauthorized access, modification and
    deletion of information, knowledge, data and
    facts.
   The protection of resources by preventing
    them from being disrupted by attack

                 Keamanan Sistem Informasi - Widyawan
ISec Primary Focus

   Three Focus
       Physical Security                                  Physical

       Operational Security
       Management and
        Policies
    Security Triad 
                                                           Security


                                           Operational                Management




                    Keamanan Sistem Informasi - Widyawan
Physical Security

   protection of the assets and information
    from physical access by unauthorized
    personnel
   Three components:
       Making a physical location less desirable as a
        target
       Detecting penetration or theft
       Recovering from a theft or loss of critical
        information or systems

                    Keamanan Sistem Informasi - Widyawan
Operational Security

   How the organization does things includes
    computers, networks, communication
    systems and management of information
   Include access control, authentication,
    security topologies, back up and recovery
    plan
   One of the most effective thing to increase
    operational security  emphasize security
    training
                 Keamanan Sistem Informasi - Widyawan
Management and Policies
   Management and Policies provide the guidance, rules and
    procedure for implementing a security environment
   Policies, to be effective, must have full and uncompromising
    support from the management team
   A number of key policies
       Administrative policies
       Design Requirement
       Disaster Recovery Plan
       Information Policies
       Security Policies
       Usage Policies
       User Management Policies




                       Keamanan Sistem Informasi - Widyawan
   Administrative Policies
       Lay out guideline and expectations for upgrades,
        monitoring, backup and audits
       Specific enough for system administrator and staff to
        conduct business
       Flexible enough to allow emergencies and unforeseen
        circumstances
   Design Requirement
       Outline the capabilities of the system must be
       Typically part of the initial design
       If the design not include as integral part of the
        implementation, our system have vulnerabilities

                       Keamanan Sistem Informasi - Widyawan
   Disaster Recovery Plan
       Recovery plan to enable system operation after disaster
       Key aspect is a comprehensive back up plan
       Sometimes need a hot site
   Information Policies
       Refer to various aspect of information security
       Include access, classification, marking and storage, and
        transmission and destruction of sensitive information
   Security Policies
       Security Policies define how the configuration of system and
        networks occur
       Also define how Identification and Authorization (I&A) occurs,
        access control, audits and network connectivity
       Encryption and anti virus software usually are covered here
       Password selection and account expiration are covered as well

                         Keamanan Sistem Informasi - Widyawan
   Usage Policies
       Cover how information and resources used and lay down the law
        about computer usage
       Include statement about privacy, ownership and consequences
        of improper act
       Should clearly explain usage expectations about the internet and
        e-mail
   User Management Policies
       Various action that must occur in the normal course of employee
        activities
       Addressed how new employee are added to the system, training
        and orientation
       Updating or deleting privilege and access of transferred or
        terminated employee
       Mostly system administrator is not notified about personnel
        change
                        Keamanan Sistem Informasi - Widyawan
Security Strategy
   Prevention
       Preventing computer or information violations
        from occurring
       Ideally security procedure and policies would
        make invulnerable to an attack. Unfortunately,
        this is not the case, only lowering the like hood
        of successful attack
   Detection
       take measures so that you can detect when,
        how, and by whom an asset has been damaged
       May involve complicated tools or a simple
        examination log files
                     Keamanan Sistem Informasi - Widyawan
   Response
       Developing strategies and technique to deal with
        an attack or loss
       Better have recovery plan than „on the fly‟
   Example: Private Property
       Prevention: locks at doors, window bars, walls
        round the property
       Detection: stolen items are missing, burglar
        alarms, closed circuit TV
       Reaction: call the police, replace stolen items,
        make an insurance claim …

                     Keamanan Sistem Informasi - Widyawan
   Example: E-Commerce
       Prevention: encrypt your orders, rely on
        the merchant to perform checks on the
        caller, don‟t use the Internet (?) …
       Detection: an unauthorized transaction
        appears on your credit card statement
       Reaction: complain, ask for a new card
        number, etc.

                   Keamanan Sistem Informasi - Widyawan
Security Objectives

   Confidentiality: prevent unauthorised
    disclosure of information
   Integrity: prevent unauthorised
    modification of information
   Availability: prevent unauthorised with-
    holding of information or resources
   Other aspects: accountability,
    authenticity
                Keamanan Sistem Informasi - Widyawan
   Confidentiality
       Prevent unauthorised disclosure of information (prevent
        unauthorised reading)
       Sometimes, security and confidentiality are used as synonyms
       Do we want to hide the content of a document or its existence?
   Integrity
       prevent unauthorised modification of information (prevent
        unauthorised writing)
       Integrity in communications: detection (and correction) of
        intentional and accidental modifications of transmitted data
       In the most general sense: make sure that everything is as it is
        supposed to be; the data in a computer system should correctly
        reflect some reality outside the computer system
       (This is highly desirable but cannot be guaranteed by
        mechanisms internal to the computer system.)

                         Keamanan Sistem Informasi - Widyawan
   Availability
       the property of being accessible and usable
        upon demand by an authorised entity
       Denial of Service (DoS): The prevention of
        authorised access of resources or the delaying
        of time-critical operations
       Maybe the most important aspect of computer
        security, but few methods are around
       Distributed denial of service (DDoS) receives a
        lot of attention; systems are now designed to be
        more resilient against these attacks
                    Keamanan Sistem Informasi - Widyawan
   Accountability
       audit information must be selectively kept and
        protected so that actions affecting security can
        be traced to the responsible party
       Users are identified and authenticated to have a
        basis for access control decisions.
       The security system keeps an audit log (audit
        trail) of security relevant events to detect and
        investigate intrusions

                    Keamanan Sistem Informasi - Widyawan
   Medical records that are accessible
    on-line are sensitive information that
    should be protected from disclosure,
    but in an emergency it is highly
    desirable that whoever treats you has
    access to your record. How would you
    use prevention, detection, and
    recovery to secure your records
                Keamanan Sistem Informasi - Widyawan