Upload
budi-rahardjo
View
3.697
Download
6
Tags:
Embed Size (px)
Citation preview
IntroductiontoInformationSecurity
IntroductiontoInformationSecurity HotSecurityIssues2010
• Mulaipopulernyasocialnetwork(web2.0)– Facebook,4sq,twitter,...
• Masalah– Pencurianidentitas(identitytheft)– Penurunanproduktivitaskerja– Masalahetikadanlegal
Juni2010 SecurityAwareness 2
IntroductiontoInformationSecurity
Phishing
Juni2010
SecurityAwareness 3
From: <[email protected]> To: … Subject: USBank.com Account Update URGEgb Date: Thu, 13 May 2004 17:56:45 -0500
USBank.com Dear US Bank Customer, During our regular update and verification of the Internet Banking Accounts, we could not verify your current information. Either your information has been changed or incomplete, as a result your access to use our services has been limited. Please update your information.
To update your account information and start using our services please click on the link below: http://www.usbank.com/internetBanking/RequestRouter?requestCmdId=DisplayLoginPage
Note: Requests for information will be initiated by US Bank Business Development; this process cannot be externally requested through Customer Support.
IntroductiontoInformationSecurity Security2010:regulatory
• Kepatuhankepadaperaturan(regulatorycompliance)– ISO27000(series),SOX,BaselII,...– PeraturanBankIndonesia(PBI)untukPerbankan
Juni2010 SecurityAwareness 4
IntroductiontoInformationSecurity Security2010:environment
• KetergantungankepadasistemITmakinmeningkat– Masalahavailabilitymenjadisemakinpenting– Becanaalam,gangguanmanusia,teroris,...– Riskanalysis,businessimpactanalysis,businesscontinuityplanning,...
Juni2010 SecurityAwareness 5
IntroductiontoInformationSecurity
Security2010:technology
• Devicetrend– Smaller– Portable– Wireless
• Bagaimanamembatasipenggunaannya?
• Adarisikodalampenggunaannya
Juni2010
SecurityAwareness 6
IntroductiontoInformationSecurity Security2010:human
• Masalahutamatetap:manusia!– Socialengineeringmasihmudahdilakukan– Phishingmasihmerupakanancaman– Tidakmematuhiaturan(tidakmengubahpassword,passwordterlalumudahditebak,berbagipassword,...)
Juni2010 SecurityAwareness 7
IntroductiontoInformationSecurity
TypeofFraudExperiencedDuringthePrior12Months(Percentages)
Juni2010
SecurityAwareness 8
KPMGsurvey
IntroductiontoInformationSecurity OrangDalam!
• 1999 Computer Security Institute (CSI) / FBI Computer Crime Survey menunjukkan beberapa statistik yang menarik, seperti misalnya ditunjukkan bahwa “disgruntled worker” (orang dalam) merupakan potensi attack / abuse. http://www.gocsi.com
Juni2010 SecurityAwareness 9
Disgruntled workers 86% Independent hackers 74% US competitors 53% Foreign corporation 30% Foreign government 21%
IntroductiontoInformationSecurity
Juni2010
SecurityAwareness 10
VirusWorm
Malware
IntroductiontoInformationSecurity Spam
• Emailyangberisisampah(umumnyaiklan)• Menghabiskanjaringan,disk,waktupekerja• Spammerugikanbisnis
Juni2010 SecurityAwareness 11
IntroductiontoInformationSecurity SecurityLifecycle
Juni2010
SecurityAwareness 12
IntroductiontoInformationSecurity AspekKeamanan
• Con`identiality• Integrity• Availability
• Authetication• Non‐repudiation
Juni2010 SecurityAwareness 13
IntroductiontoInformationSecurity Con`identiality
• Proteksidata[hakpribadi]yangsensitif– Nama,tempattanggallahir,agama,hobby,penyakityangpernahdiderita,statusperkawinan,namaanggotakeluarga,...
– Datapelanggan.Customerprotectionharusdiperhatikan– Tradesecrets– Sangatsensitifdalame‐commerce,healthcare
• Serangan:sniffer(penyadap),keylogger(penyadapkunci),socialengineering,kebijakanyangtidakjelas
• Proteksi:`irewall,kriptogra`i/enkripsi,segregationofduties,segementasijaringan,kebijakan
Juni2010 SecurityAwareness 14
IntroductiontoInformationSecurity Integrity
• Informasitidakberubahtanpaijin– (tampered,altered,modi9ied)
• Serangan:– Spoof(pemalsuan),virus(mengubahberkas),maninthemiddleattack
• Proteksi:– messageauthenticationcode(MAC),(digital)signature,(digital)certi`icate,hashfunction,logging
Juni2010 SecurityAwareness 15
IntroductiontoInformationSecurity KPU2004
SecurityAwareness 16
IntroductiontoInformationSecurity Availability
• Informasiharusdapattersediaketikadibutuhkan– Seranganterhadapserver:dibuathang,down,crash,lambat
– Biayajikaserverweb(transaction)downdiIndonesia• Menghidupkankembali:Rp25juta• Kerugian(tangible)yangditimbulkan:Rp300juta
• Serangan:DenialofService(DoS)attack• Proteksi:backup,redundancy,DRC,BCP,`irewalluntukproteksiserangan
Juni2010 SecurityAwareness 17
IntroductiontoInformationSecurity Authentication
• Meyakinkankeasliandata,sumberdata,orangyangmengaksesdata,serveryangdigunakan– Bagaimanamengenalinasabahpadaservisberbasis
Internet?Lackofphysicalcontact– Menggunakan:
whatyouhave(identitycard)whatyouknow(password,PIN)whatyouare(biometricidentity)Claimantisataparticularplace(andtime)Authenticationisestablishedbyatrustedthirdparty
• Serangan:identitaspalsu,passwordpalsu,terminalpalsu,situswebgadungan
• Proteksi:digitalcerti`icates
Juni2010 SecurityAwareness 18
IntroductiontoInformationSecurity KejahatanATM
• MesinATMbiasa? • Perhatikanlebihbaik:skimmer
SecurityAwareness 19
IntroductiontoInformationSecurity
Juni2010
SecurityAwareness 20
Menyadap PIN dengan wireless camera
IntroductiontoInformationSecurity Non‐repudiation
• Tidakdapatmenyangkal(telahmelakukantransaksi)– Menggunakandigitalsignature/certi`icates– Adanyapengaturanmasalahhukum(bahwadigitalsignaturesamasepertitandatangankonvensional)
Juni2010 SecurityAwareness 21
IntroductiontoInformationSecurity
ITSecurityFrameworkJuni2010
SecurityAwareness 22
IntroductiontoInformationSecurity SecurityCulture
• Keamananharusmenjadibagiandarikebiasaankita– Menguncipinturumah,kendaraan– Meninggalkankomputerdalamkeadaanterkunci(screenlock)
– Tidakmembiarkanbarangberhargaberserakandirumah
– Membiasakanmembersikanmejakerja(cleandesk)
Juni2010 SecurityAwareness 23