Matakuliah
Tahun
Versi
:A0334/Pengendalian Lingkungan Online
: 2005
: 1/1
Pertemuan 5
Points of Exposure
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa
akan mampu :
• Mahasiswa dapat menjelaskan Points of
Exposure
2
Outline Materi
• Email
– The Big Question
– Threats to Email
• Confidentiality
• Integrity
• Authenticity
– Consequences
– Reasons to Address The Threats
3
– Reducing The Risks and Eliminating The Threat
• Encryption
• Digital Signature
– Preceived Barriers to securing Email
• Email Encryption and Virus detection Software
– Plugging The Hole
– Reducing The Risks and Eliminating The Threat
• Encryption
• Digital Signature
– Preceived Barriers to securing Email
• Email Encryption and Virus detection Software
– Plugging The Hole
4
Email
• Email is one of the most simple and effective
communication tools available. It is quick,
convenient and cheap, but unless used properly,
fundamentally insecure. It is as public as a
postcard and leaves a written record long after it
has been erased, meaning that any skilled or
knowledgeable person can recover a longforgotten or buried email message from deep
inside a networked system. There is no doubt
that in a business environment the use of email
and the Internet poses a threat to a business’s
ability to protect company intellectual property
and other confidential information.
5
The Big Question
• It is unquestionable that email security is
the next big IT security issue – a fact that
gives rise to the following question: if a
company’s most valuable asset apart from
its workforce is its intellectual property,
why are so many businesses failing to
take the crucial steps towards protecting
that property in its electronic form when it
would be both simple and cost-effective for
them to do so?
6
• It security experts would obviously understand
the issues surrounding treatment of the Internet
in greater depth than the average man in the
street but the need to extend this awareness to
all Internet users is now critical. Letters have
been used as a form of communication for
thousands of years, so there is no wonder that
people have learnt how to deal with them safely.
For the Internet – and consequently email –
there has been far less time for users to absorb
the underlying principles and implications
surrounding its use.
7
Threats to Email
• The main points of exposure within the
process of sending unprotected email are:
– Confidentiality
– Integrity
– Authenticity
8
Confidentiality
• The information sent is vulnerable to being
anonymously read by any unauthorised
person whilst in transit. Hack-attacks of
this kind are very easy to perform by
almost anyone who has the will to do so.
A good analogy for this type of email hack
is the postman who allows another person
to read other people’s postcards before
delivering them to the rightful recipients.
9
Integrity
• The contents of an unprotected email can
also be anonymously modified while they
are in transit and then passed onto the
recipient as if they were the original
message, without either the recipient or
sender being any the wiser.
10
Authenticity
• Emails can be easily and anonymously
forged so that messages appear to be
from a certain person.
11
Consequences
• Cyber-criminals – and it is known that the
majority of them operate covertly within
their own company – go about their
business for a variety of reasons. These
range from an intention to gain a
competitive edge (corporate espionage) to
the desire to exact revenge or to further a
political cause.
12
Reasons to Address The Threats
• While horror stories abound, the average
business or private user of email might
feel they have nothing much to hide and
are unlikely targets for hackers.
13
Reducing The Risks and Eliminating The
Threat
• Whilst it is true that information security has
become a greater priority in the last two years,
especially at board level, the threats have also
increased substantially. Modern cryptography
techniques and services can add substantial
benefits to electronic business arrangements.
These techniques can scramble data to avoid
unauthorised disclosure and also to ensure the
integrity, authenticity and legitimacy of electronic
communication records and computerised
transactions.
14
Encryption
• This is the electronic equivalent of putting
a message in an envelope (see Figure
2.1.1 p. 57). It protects confidentiality and
confirms for the recipient that the message
has arrived in its original state without
having been seen by an unauthorised
person. Good encryption software
ensures that information is only decrypted
as and when needed and then makes
provision for the safe deletion of electronic
messages.
15
Digital Signature
• This is the electronic equivalent of signing and
sealing a letter by hand (see Figure 2.1.2. P. 58).
It maintains the integrity, authenticity and nonrepudiation aspects of an email in much the
same way as a person hand-written signature is
proof on authorship of a letter.
• Cryptographic techniques and digital signatures,
though widely available for both private and
business use and simple in concept, can
nevertheless be technically difficult solutions to
understand for someone with poor IT
knowledge.
16
Perceived Barriers to Securing Email
• Email Encryption and Virus Detection
Software
17
Email Encryption and Virus Detection
Software
• One of the biggest perceived problems
regarding IT security faced by business
users in the widely held belief that
encrypted email messages would bypass
anti-virus and content-checking serverbased software.
18
• There is a very wide range of anti-virus
products available on the market, many of
which are fully compatible with
cryptographic techniques and which can
be installed locally. In cases, where the
anti-virus software cannot be installed
locally, the email rules inherent in
encryption software are so flexible that
users are able to determine which
messages are encrypted and which are
not.
19
• By combining the use of solid encryption
techniques and careful rule-setting with
modern, desktop-based, anti-virus
software, comprehensive and effective
control of email security would lie entirely,
and independently, with the user.
20
Plugging The Hole
• Rather than being baffled by the technology,
businesses need to be clear about their security
needs and to choose modern encryption
software with good functionality that they
understand completely.
• Businesses need to recognise that unprotected
email is a risk. It is a vulnerability that cannot be
fixed by a firewall installation of by anti-virus
implementation. A security policy that does not
address the open nature of emails is falling short
of its purpose.
21
The End
22