Matakuliah Tahun Versi :A0334/Pengendalian Lingkungan Online : 2005 : 1/1 Pertemuan 2 Information at Risk 1 Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : • Mahasiswa dapat menyatakan Resiko Informasi 2 Outline Materi • Recent Attack Trends – Trends • • • • • • Trend 1: Automation and Speed of Attack Tools Trend 2: Increasing Sophistication of Attack Tools Trend 3: Faster discovery of Vulnerabilities Trend 4: Increasing Permeability of Firewalls Trend 5: Increasingly Asymmetric Threat Trend 6: Increasingly Threat from Infrastructure Attacks – Proliferation of Attack Tools and ‘Script Kiddies’ – Lack of Awareness of The Value of Data – Companies Increasingly Trade on Brand 3 • Recognising The Enemy Within – The Scale of The Internal Problem – Conspiracy or Complacency? • Rogue and Careless Employees – – – – – – – – – – – Passwords Viruses SpyWare Internet Surfing Email Poor Network Policy Policy Does Not Apply to Me! The Victimless Crime? Board Responsibilities BS 7799 (ISO 17799) A Final Word on Security 4 Recent Attack Trends • Trends • Proliferation of Attack Tools and ‘Script Kiddies’ • Lack of Awareness of The Value of Data • Companies Increasingly Trade on Brand 5 Trends • Whilst the Internet has created a number of opportunities for companies to save costs and improve marketing, at the same time it has exposed companies to much greater risk to both their cost base and brand. 6 Trend 1: Automation and Speed of Attack Tools • The level of automation in attack tools continues to increase. 7 • Automated attacks commonly involve four phases, each of which is changing: – Scanning for potential victims – Compromising vulnerable systems – Propagation of the attack – Co-ordinated management of attack tools 8 Trend 2: Increasing Sophistication of Attack Tools • Attack tool developers are using more advanced techniques than previously, including: – Anti-forensics – Dynamic behaviour – Modularity of attack tools 9 Trend 3: Faster Discovery of Vulnerabilities • The number of newly discovered vulnerabilities reported to the CERT/CC (CERT Co-ordination Centre) continues to more than double each year. 10 Trend 4: Increasing Permeability of Firewalls • Firewalls are often relied upon to provide primary protection from intruders. 11 Trend 5: Increasingly Asymmetric Threat • Security on the Internet is, by its very nature, highly interdependent. 12 Trend 6: Increasing Threat from Infrastructure Attacks • Infrastructure attacks broadly affect key components of the Internet. 13 • Three types of infrastructure attack are: – Distributed denial of service – Worms – Attacks on the Internet Domain Name System (DNS) 14 Proliferation of Attack Tools and ‘Script Kiddies’ • ‘Script kiddies” can be thought of as cyber joyriders. They are often not looking for a specific company or seeking particular information. • A small minority of script kiddies possess the required technical knowledge to produce the scripts they use. The majority, however, will use ready-made tools that are easily downloadable from the Internet. • The fact that the attack and scans are random means that the script kiddies are a threat. 15 Lack of awareness of The Value of Data • The realisation of the value of data has been slow in coming. The retail industry realised that by introducing loyalty cards they could gain intelligence on customers and then use it to better target marketing and improve their understanding of buying relationships and trends. 16 Companies Increasingly Trade on Brand • The protection of brand names therefore is of critical concern. 17 Recognising The Enemy Within • • • • • • • • • • • • • The Scale of The Internal Problem Conspiracy or Complacency? Passwords Viruses SpyWare Internet Surfing Email Poor Network Policy Policy Does Not Apply to Me! The Victimless Crime? Board Responsibilities BS 7799 (ISO 17799) A Final Word on Security 18 The Scale of The Internal Problem • Too often companies prefer to look outward when it comes to problems such as hacking when, in reality, problems could be based closer to home. 19 Conspiracy or Complacency? • It should be recognised that to allow people to do their jobs efficiently we have to place them in a position of trust, with access to sensitive data and systems. 20 Temporary Staff • At time of peak load, temporary staff often arrive on site on the first day, direct from the supply agency, without interview or other screening process. 21 Rogue and Careless Employees • The obvious primary candidate in this category is the disgruntled employee, overlooked for promotion, supposedly undervalued, denied a reserved car parking space, or just plain got out of bed on the wrong side. • The careless employee is the one that leaves their password written on a piece of paper in the top drawer of their desk, or who walks away from a terminal leaving it connected to a valuable data source. The careless employee is not necessarily malicious and in most cases is not aware of the potential impact of their actions, because nobody has made it clear to them. 22 Passwords • This may seem simple, but passwords must be employed, as well as systems armed with screen savers that require passwords to unlock them. It is no use having implemented this technology if you then write the password on the whiteboard by the desk or tell all your friend what it is. 23 Viruses • Apart from the well-known damage that viruses can cause, what is less-known is that some viruses sit passively and send sensitive information back out to sides and hackers on the Internet, or open up doorways for incoming connections. This information is often used for more serious security breaches and, as you are generating the information internally and sending it out, you firewall systems often pass it on unaware of its true nature. 24 SpyWare • To continue on this theme, there are many software applications that also broadcast information out in a similar way. Often based in games or ‘utilities’ that are downloaded from the Internet or brought into the office, they act in exactly the same way as many of the Trojan viruses. 25 Internet Surfing • Is it fraud to spend your employer’s time surfing the Internet for private use? 26 Email • We all love to gossip and email has certainly improved and informalised the way we communicate with each other. • Virus protection certainly has to be a priority here, on both the workstations and the mail servers. N careful consideration should also be given as to who should be able to send mail attachments and also to the implementation of scanners that check mail content to stop people sending out unauthorised confidential material. 27 Poor Network Policy • Modern PC systems are designed to talk to each other very easily and the everage school leaver has plenty of familiarity with them. 28 Policy Does Not Apply to Me! • Having policy is all well and good but it must be enforced. 29 The victimless Crime? • One of the challenges with computer security is the idea that it is a victimless crime. If an internal hacker copies a database of customer details, the company still has the database and therefore they may not see it as a crime. It its, however, and the victims are all the people who suffer as a consequence should business levels drop off because a competitor has their customer information. • People often do not realise the financial impact of the time spent to rebuild systems after a vandal has destroyed data, or the loss in service to customers. It all has an impact, and we have a duty to minimise the opportunities for these types of incidents. 30 Board Responsibilities • There are now a whole host of legal and regulatory requirement detailing the responsibilities of the board or a business owner to ensure that information stored on computers, particularly personal information, is protected from improper use or access. • The report states that ‘the board of directors is responsible for the company’s system of internal control. It should set appropriate policies on internal control and seek regular assurance that will enable it to satisfy itself that the system is functioning effectively. It should ensure that the system of internal control is effective in managing those risks in the manner which it has approved. 31 • Dependence on IT for many firms means that the financial consequences of any loss of information or breach in security should be considered. This needs to be reviewed not simply in terms of the information itself, but also for the cost of preventing further failures and the impact on the company’s reputation, brand value, performance and future potential. 32 BS 7799 (ISO 17799) • The british Standards Institute (BSI) has published the standard for an Information Security Management System that offers external audit and certification to a recognised British standard and many organisations are now looking to this as a benchmark for good practice and as a measure of those with whom they wish to trade electronically. This provides an excellent framework for the establishment of the policies and procedures that will allow organisations to protect themselves from security threats, both internal and external, but it also provides a structured manner and common measure for all organisations. 33 A Final Word on Security • Management systems must be put in place and a series of checks and reporting methods established. At the very least a clear and unequivocal security policy should be put in place and staff should be trained to understand its relevance and its requirements. • In general, behaviour is the only way in which we can spot potential data thieves or vandals before the event occurs. This is down to good and sensitive management and an awareness of staff abilities, life issues and work patterns is essential. Any change in these could be a trigger for such an event. • Monitoring the overall behaviour people and watching changing patterns of work is also a good way of establishing potential weaknesses. • We should not, however, be paranoid about people on a personal basis. 34 • There is no such thing as the perfect system. There is no bank that cannot be robbed, only those that are so strongly protected that softer targets are chosen instead. Security is provided not by one device but by a range of devices, systems and management procedures, built up in layers like the skin of an onion. The outer skins may get damaged, but the inner core is preserved. • There are lesson to be learnt from the disaster recovery business, where corporations have had major fires that destroyed their core assets. 35 The End 36