Matakuliah
Tahun
Versi
:A0334/Pengendalian Lingkungan Online
: 2005
: 1/1
Pertemuan 16
Security Policies
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa
akan mampu :
• Mahasiswa dapat menyatakan Security
Policies
2
Outline Materi
• Security Testing
– So How Is Security Testing Carried Out?
• Open Source in The Enterprise
3
Security Testing
• How often do we hear in the news about
customers finding faults in e-commerce websites
and the negative publicity it brings? Yet we still
find ourselves saying ‘if our e-commerce system
isn’t working, our customers will soon let us
know’. Relying on customers to test your
system is the best way to lose them.
• Banking and e-commerce customers are often
the first to notice when things go wrong, even
before the website’s IT staff and long before
directors and senior management.
4
• E-commerce customers are often headline news
for being unable to access their own accounts,
being presented with other users’ personal
details or finding credit card lists online.
• Such problems are not confined to the consumer
arena. Commercial, legal and industrial firms
often share clients’ confidential data,plans and
proposals online, in an insecure environment
leaving them vulnerable to outsiders. The loss
of client confidence can spread like a cancer if
not checked.
5
• Sometimes security problems arise during
internal system changes by IT staff, but often it is
the result of something more malicious, such as
hackers testing their ‘cybermuscles’ in order to
deny user access, or those with more sinister,
criminal intent.
• The more subtle attackers may gain access and
do nothing to draw attention to their presence.
Hacker ‘toolkits’ can be hidden within existing
data. Changes may not be noticed for months.
6
• Vulnerabilities to such attacks may appear in
previously watertight systems whenever the
systems are internally upgraded or reconfigured.
Even adding a firewall an lead to other
vulnerabilities. Few IT systems these days are
static.
• Network security is something none of us can
afford to compromise. Valuable IT time and
resources may be required to recover systems,
business can be lost in the short-term, but most
importantly reputations can be permanently
damaged.
7
• While most off-the-shelf systems are extensively
tested,many larger organisations prefer to
design and build their own, although such
bespoke systems are especially vulnerable.
They are often complex and it is difficult to be
sure that the system is working correctly, even
though you have looked at all of the components
and fitted them together properly. Regular
penetration testing can help you to know your
system’s vulnerabilities and to do something
about them before any trouble arrives.
8
• You might ask yourself how well you know
your system, particularly if changes are
made on a regular basis by different IT
staff.
9
So How Is Security Testing Carried Out?
• ‘Regular Monitor’ penetration testing involves
NTA looking at the vulnerability of a network
from the point of view of a potential attacker and
searching for any weakness that could be
exploited to gain access to a system. However,
this is done within very strict parameters.
Security holes are located, identified and
reported,but they are not exploited to gain
access to a system. However, this is done
within very strict parameters. Security holes are
located, identified and reported, but they are not
exploited.
10
• Security testing gives operators greater
confidence in their systems and gives their
customers greater trust, safe in the
knowledge that data and communications
are secure. Never let the customer be the
one to inform you that things are going
wrong. To put your Internet customers
first, first regularly check your system.
11
Open Source in The Enterprise
• In proprietary software, a single company claims
‘ownership’ of the software, and keeps a tight
grip on its ‘intellectual property’. Often part of
the ‘intellectual property’ they so carefully guard
is the nature of that ‘intellectual property’ itself.
• The security community at large has a long
history of taking matters into its own hands in a
virtual ‘name and shame’ tradition, where
security flaws in many products, commercial or
otherwise are openly discussed.
12
The End
13