Security awareness

3,874 views

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,874
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
84
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security awareness

  1. 1. Introduction
to

 Information
Security
 Budi
Rahardjo
 budi@indocisc.com

  2. 2. Introduction
to
 Information
Security
 Hot
Security
Issues
2010
 •  Mulai
populernya
social
network
(web
2.0)
 – Facebook,
4sq,
twitter,
...
 •  Masalah
 – Pencurian
identitas
(identity
theft)
 – Penurunan
produktivitas
kerja
 – Masalah
etika
dan
legal
 Juni
2010
 Security
Awareness
 2

  3. 3. Juni
2010
 Introduction
to
 Information
Security
 Phishing
 From: <USbank-Notification-Urgecq@UsBank.com> To: … Subject: USBank.com Account Update URGEgb Date: Thu, 13 May 2004 17:56:45 -0500 USBank.com Dear US Bank Customer, During our regular update and verification of the Internet Banking Accounts, we could not verify your current information. Either your information has been changed or incomplete, as a result your access to use our services has been limited. Please update your information. To update your account information and start using our services please click on the link below: http://www.usbank.com/internetBanking/RequestRouter?requestCmdId=DisplayLoginPage Note: Requests for information will be initiated by US Bank Business Development; this process cannot be externally requested through Customer Support. Security
Awareness
 3

  4. 4. Introduction
to
 Information
Security
 Security
2010:
regulatory
 •  Kepatuhan
kepada
peraturan
(regulatory
 compliance)
 – ISO
27000
(series),
SOX,
Basel
II,
...
 – Peraturan
Bank
Indonesia
(PBI)
untuk
 Perbankan
 Juni
2010
 Security
Awareness
 4

  5. 5. Introduction
to
 Information
Security
 Security
2010:
environment
 •  Ketergantungan
kepada
sistem
IT
makin
 meningkat
 – Masalah
availability
menjadi
semakin
penting
 – Becana
alam,
gangguan
manusia,
teroris,
...
 – Risk
analysis,
business
impact
analysis,
 business
continuity
planning,
...
 Juni
2010
 Security
Awareness
 5

  6. 6. Juni
2010
 Introduction
to
 Security
2010:

 Information
Security
 technology
 •  Device
trend
 •  Bagaimana
membatasi
 –  Smaller
 penggunaannya?
 –  Portable
 •  Ada
risiko
dalam
 –  Wireless
 penggunaannya
 Security
Awareness
 6

  7. 7. Introduction
to
 Information
Security
 Security
2010:
human
 •  Masalah
utama
tetap:
manusia!
 – Social
engineering
masih
mudah
dilakukan
 – Phishing
masih
merupakan
ancaman
 – Tidak
mematuhi
aturan
(tidak
mengubah
 password,
password
terlalu
mudah
ditebak,
 berbagi
password,
...)
 Juni
2010
 Security
Awareness
 7

  8. 8. Juni
2010
 Introduction
to
 Type
of
Fraud
Experienced
During
the
 Information
Security
 Prior
12
Months
(Percentages)
 KPMG
survey
 Security
Awareness
 8

  9. 9. Introduction
to
 Information
Security
 Orang
Dalam!
 •  1999 Computer Security Institute (CSI) / FBI Computer Crime Survey menunjukkan beberapa statistik yang menarik, seperti misalnya ditunjukkan bahwa “disgruntled worker” (orang dalam) merupakan potensi attack / abuse. http://www.gocsi.com
 Disgruntled workers 86% Independent hackers 74% US competitors 53% Foreign corporation 30% Foreign government 21% Juni
2010
 Security
Awareness
 9

  10. 10. Juni
2010
 Introduction
to
 Information
Security
 Virus
 Worm
 Malware
 Security
Awareness
 10

  11. 11. Introduction
to
 Information
Security
 Spam
 •  Email
yang
berisi
sampah
(umumnya
iklan)
 •  Menghabiskan
jaringan,
disk,
waktu
pekerja
 •  Spam
merugikan
bisnis
 Juni
2010
 Security
Awareness
 11

  12. 12. Juni
2010
 Introduction
to
 Information
Security
 Security
Lifecycle
 Security
Awareness
 12

  13. 13. Introduction
to
 Information
Security
 Aspek
Keamanan
 •  Con`identiality
 •  Authetication
 •  Integrity
 •  Non‐repudiation
 •  Availability
 Juni
2010
 Security
Awareness
 13

  14. 14. Introduction
to
 Information
Security
 Con`identiality
 •  Proteksi
data
[hak
pribadi]
yang
sensitif
 –  Nama,
tempat
tanggal
lahir,
agama,
hobby,
penyakit
yang
pernah
 diderita,
status
perkawinan,
nama
anggota
keluarga,
...
 –  Data
pelanggan.
Customer
protection
harus
diperhatikan
 –  Trade
secrets
 –  Sangat
sensitif
dalam
e‐commerce,
healthcare
 •  Serangan:
sniffer
(penyadap),
keylogger
(penyadap
kunci),
 social
engineering,
kebijakan
yang
tidak
jelas
 •  Proteksi:
`irewall,
kriptogra`i
/
enkripsi,
segregation
of
 duties,
segementasi
jaringan,
kebijakan
 Juni
2010
 Security
Awareness
 14

  15. 15. Introduction
to
 Information
Security
 Integrity
 •  Informasi
tidak
berubah
tanpa
ijin

 –  (tampered,
altered,
modi9ied)
 •  Serangan:
 –  Spoof
(pemalsuan),
virus
(mengubah
berkas),
man­in­ the­middle
attack
 •  Proteksi:
 –  message
authentication
code
(MAC),
(digital)
signature,
 (digital)
certi`icate,
hash
function,
logging
 Juni
2010
 Security
Awareness
 15

  16. 16. Introduction
to
 Information
Security
 KPU
2004
 Security
Awareness
 16

  17. 17. Introduction
to
 Information
Security
 Availability
 •  Informasi
harus
dapat
tersedia
ketika
dibutuhkan
 –  Serangan
terhadap
server:
dibuat
hang,
down,
crash,
 lambat
 –  Biaya
jika
server
web
(transaction)
down
di
Indonesia
 •  Menghidupkan
kembali:
Rp
25
juta
 •  Kerugian
(tangible)
yang
ditimbulkan:
Rp
300
juta
 •  Serangan:
Denial
of
Service
(DoS)
attack
 •  Proteksi:
backup,
redundancy,
DRC,
BCP,
`irewall
 untuk
proteksi
serangan
 Juni
2010
 Security
Awareness
 17

  18. 18. Introduction
to
 Information
Security
 Authentication
 •  Meyakinkan
keaslian
data,
sumber
data,
orang
yang
 mengakses
data,
server
yang
digunakan
 –  Bagaimana
mengenali
nasabah
pada
servis
berbasis
 Internet?
Lack
of
physical
contact
 –  Menggunakan:
 what
you
have
(identity
card)
 what
you
know
(password,
PIN)
 what
you
are
(biometric
identity)
 Claimant
is
at
a
particular
place
(and
time)
 Authentication
is
established
by
a
trusted
third
party
 •  Serangan:
identitas
palsu,
password
palsu,
terminal
 palsu,
situs
web
gadungan
 •  Proteksi:
digital
certi`icates
 Juni
2010
 Security
Awareness
 18

  19. 19. Introduction
to
 Information
Security
 Kejahatan
ATM
 •  Mesin
ATM
biasa?
 •  Perhatikan
lebih
baik:
 skimmer
 Security
Awareness
 19

  20. 20. Juni
2010
 Introduction
to
 Information
Security
 Menyadap PIN dengan wireless camera Security
Awareness
 20

  21. 21. Introduction
to
 Information
Security
 Non‐repudiation
 •  Tidak
dapat
menyangkal
(telah
melakukan
 transaksi)
 –  Menggunakan
digital
signature
/
certi`icates
 –  Adanya
pengaturan
masalah
hukum
(bahwa
digital
 signature
sama
seperti
tanda
tangan
konvensional)
 Juni
2010
 Security
Awareness
 21

  22. 22. Juni
2010
 Introduction
to
 IT
Security
Framework
 Information
Security
 Security
Awareness
 22

  23. 23. Introduction
to
 Information
Security
 Security
Culture
 •  Keamanan
harus
menjadi
bagian
dari
 kebiasaan
kita
 – Mengunci
pintu
rumah,
kendaraan
 – Meninggalkan
komputer
dalam
keadaan
 terkunci
(screen
lock)
 – Tidak
membiarkan
barang
berharga
berserakan
 di
rumah
 – Membiasakan
membersikan
meja
kerja
(clean
 desk)
 Juni
2010
 Security
Awareness
 23


×