Matakuliah
Tahun
Versi
:A0334/Pengendalian Lingkungan Online
: 2005
: 1/1
Pertemuan 2
Information at Risk
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa
akan mampu :
• Mahasiswa dapat menyatakan Resiko
Informasi
2
Outline Materi
• Recent Attack Trends
– Trends
•
•
•
•
•
•
Trend 1: Automation and Speed of Attack Tools
Trend 2: Increasing Sophistication of Attack Tools
Trend 3: Faster discovery of Vulnerabilities
Trend 4: Increasing Permeability of Firewalls
Trend 5: Increasingly Asymmetric Threat
Trend 6: Increasingly Threat from Infrastructure Attacks
– Proliferation of Attack Tools and ‘Script Kiddies’
– Lack of Awareness of The Value of Data
– Companies Increasingly Trade on Brand
3
• Recognising The Enemy Within
– The Scale of The Internal Problem
– Conspiracy or Complacency?
• Rogue and Careless Employees
–
–
–
–
–
–
–
–
–
–
–
Passwords
Viruses
SpyWare
Internet Surfing
Email
Poor Network Policy
Policy Does Not Apply to Me!
The Victimless Crime?
Board Responsibilities
BS 7799 (ISO 17799)
A Final Word on Security
4
Recent Attack Trends
• Trends
• Proliferation of Attack Tools and ‘Script
Kiddies’
• Lack of Awareness of The Value of Data
• Companies Increasingly Trade on Brand
5
Trends
• Whilst the Internet has created a number
of opportunities for companies to save
costs and improve marketing, at the same
time it has exposed companies to much
greater risk to both their cost base and
brand.
6
Trend 1: Automation and Speed of
Attack Tools
• The level of automation in attack tools
continues to increase.
7
• Automated attacks commonly involve four
phases, each of which is changing:
– Scanning for potential victims
– Compromising vulnerable systems
– Propagation of the attack
– Co-ordinated management of attack tools
8
Trend 2: Increasing Sophistication of
Attack Tools
• Attack tool developers are using more
advanced techniques than previously,
including:
– Anti-forensics
– Dynamic behaviour
– Modularity of attack tools
9
Trend 3: Faster Discovery of
Vulnerabilities
• The number of newly discovered
vulnerabilities reported to the CERT/CC
(CERT Co-ordination Centre) continues to
more than double each year.
10
Trend 4: Increasing Permeability of
Firewalls
• Firewalls are often relied upon to provide
primary protection from intruders.
11
Trend 5: Increasingly Asymmetric
Threat
• Security on the Internet is, by its very
nature, highly interdependent.
12
Trend 6: Increasing Threat from
Infrastructure Attacks
• Infrastructure attacks broadly affect key
components of the Internet.
13
• Three types of infrastructure attack are:
– Distributed denial of service
– Worms
– Attacks on the Internet Domain Name System
(DNS)
14
Proliferation of Attack Tools and ‘Script
Kiddies’
• ‘Script kiddies” can be thought of as cyber
joyriders. They are often not looking for a
specific company or seeking particular
information.
• A small minority of script kiddies possess the
required technical knowledge to produce the
scripts they use. The majority, however, will use
ready-made tools that are easily downloadable
from the Internet.
• The fact that the attack and scans are random
means that the script kiddies are a threat.
15
Lack of awareness of The Value of Data
• The realisation of the value of data has
been slow in coming. The retail industry
realised that by introducing loyalty cards
they could gain intelligence on customers
and then use it to better target marketing
and improve their understanding of buying
relationships and trends.
16
Companies Increasingly Trade on Brand
• The protection of brand names therefore is
of critical concern.
17
Recognising The Enemy Within
•
•
•
•
•
•
•
•
•
•
•
•
•
The Scale of The Internal Problem
Conspiracy or Complacency?
Passwords
Viruses
SpyWare
Internet Surfing
Email
Poor Network Policy
Policy Does Not Apply to Me!
The Victimless Crime?
Board Responsibilities
BS 7799 (ISO 17799)
A Final Word on Security
18
The Scale of The Internal Problem
• Too often companies prefer to look
outward when it comes to problems such
as hacking when, in reality, problems
could be based closer to home.
19
Conspiracy or Complacency?
• It should be recognised that to allow
people to do their jobs efficiently we have
to place them in a position of trust, with
access to sensitive data and systems.
20
Temporary Staff
• At time of peak load, temporary staff often
arrive on site on the first day, direct from
the supply agency, without interview or
other screening process.
21
Rogue and Careless Employees
• The obvious primary candidate in this category
is the disgruntled employee, overlooked for
promotion, supposedly undervalued, denied a
reserved car parking space, or just plain got out
of bed on the wrong side.
• The careless employee is the one that leaves
their password written on a piece of paper in the
top drawer of their desk, or who walks away
from a terminal leaving it connected to a
valuable data source. The careless employee is
not necessarily malicious and in most cases is
not aware of the potential impact of their actions,
because nobody has made it clear to them.
22
Passwords
• This may seem simple, but passwords
must be employed, as well as systems
armed with screen savers that require
passwords to unlock them. It is no use
having implemented this technology if you
then write the password on the whiteboard
by the desk or tell all your friend what it is.
23
Viruses
• Apart from the well-known damage that
viruses can cause, what is less-known is
that some viruses sit passively and send
sensitive information back out to sides and
hackers on the Internet, or open up
doorways for incoming connections. This
information is often used for more serious
security breaches and, as you are
generating the information internally and
sending it out, you firewall systems often
pass it on unaware of its true nature.
24
SpyWare
• To continue on this theme, there are many
software applications that also broadcast
information out in a similar way. Often
based in games or ‘utilities’ that are
downloaded from the Internet or brought
into the office, they act in exactly the same
way as many of the Trojan viruses.
25
Internet Surfing
• Is it fraud to spend your employer’s time
surfing the Internet for private use?
26
Email
• We all love to gossip and email has certainly
improved and informalised the way we
communicate with each other.
• Virus protection certainly has to be a priority
here, on both the workstations and the mail
servers. N careful consideration should also be
given as to who should be able to send mail
attachments and also to the implementation of
scanners that check mail content to stop people
sending out unauthorised confidential material.
27
Poor Network Policy
• Modern PC systems are designed to talk
to each other very easily and the everage
school leaver has plenty of familiarity with
them.
28
Policy Does Not Apply to Me!
• Having policy is all well and good but it
must be enforced.
29
The victimless Crime?
• One of the challenges with computer security is the idea
that it is a victimless crime. If an internal hacker copies a
database of customer details, the company still has the
database and therefore they may not see it as a crime.
It its, however, and the victims are all the people who
suffer as a consequence should business levels drop off
because a competitor has their customer information.
• People often do not realise the financial impact of the
time spent to rebuild systems after a vandal has
destroyed data, or the loss in service to customers. It all
has an impact, and we have a duty to minimise the
opportunities for these types of incidents.
30
Board Responsibilities
• There are now a whole host of legal and regulatory
requirement detailing the responsibilities of the board or
a business owner to ensure that information stored on
computers, particularly personal information, is protected
from improper use or access.
• The report states that ‘the board of directors is
responsible for the company’s system of internal control.
It should set appropriate policies on internal control and
seek regular assurance that will enable it to satisfy itself
that the system is functioning effectively. It should
ensure that the system of internal control is effective in
managing those risks in the manner which it has
approved.
31
• Dependence on IT for many firms means
that the financial consequences of any
loss of information or breach in security
should be considered. This needs to be
reviewed not simply in terms of the
information itself, but also for the cost of
preventing further failures and the impact
on the company’s reputation, brand value,
performance and future potential.
32
BS 7799 (ISO 17799)
• The british Standards Institute (BSI) has
published the standard for an Information
Security Management System that offers
external audit and certification to a recognised
British standard and many organisations are
now looking to this as a benchmark for good
practice and as a measure of those with whom
they wish to trade electronically. This provides
an excellent framework for the establishment of
the policies and procedures that will allow
organisations to protect themselves from
security threats, both internal and external, but it
also provides a structured manner and common
measure for all organisations.
33
A Final Word on Security
• Management systems must be put in place and a series of checks
and reporting methods established. At the very least a clear and
unequivocal security policy should be put in place and staff should
be trained to understand its relevance and its requirements.
• In general, behaviour is the only way in which we can spot potential
data thieves or vandals before the event occurs. This is down to
good and sensitive management and an awareness of staff abilities,
life issues and work patterns is essential. Any change in these
could be a trigger for such an event.
• Monitoring the overall behaviour people and watching changing
patterns of work is also a good way of establishing potential
weaknesses.
• We should not, however, be paranoid about people on a personal
basis.
34
• There is no such thing as the perfect system.
There is no bank that cannot be robbed, only
those that are so strongly protected that softer
targets are chosen instead. Security is provided
not by one device but by a range of devices,
systems and management procedures, built up
in layers like the skin of an onion. The outer
skins may get damaged, but the inner core is
preserved.
• There are lesson to be learnt from the disaster
recovery business, where corporations have had
major fires that destroyed their core assets.
35
The End
36