Keamanan Sistem Informasi Introduction and Concepts

1
Keamanan Sistem Informasi Introduction and
Concepts

• Widyawan
• Electrical Engineering Department
• Gadjah Mada University

2

• Is not the mouse that is the thief, it is the
  hole that let the mouse in
• Babylonian Talmud, Tractate Baba Metzia

3
Learning Plan

• Topics
• Introduction
• Security Concepts
• Security Process and Topologies
• Attack Strategies
• Security and TCP/IP
• Malicious Code
• Infrastructure and Connectivity
• Monitoring
• Cryptography
• Security Management

4

• Assessment
• 25 simulation/programming
• 25 paper and/or presentation
• 50 exam
• Book
• Security Study Guide, Michael Pastore, Sybex
• Hacking Exposed, Scambray, Mc Graw Hill

5

• Paper and Presentation
• Disaster Recovery Plan
• Security Manual a case study
• Securing Protocol and Services why and what
• Protocol Specific security analysis
• DMZ
• Assistance
• Access Control
• How to NAT and Protocol
• Simulation
• NAT
• Securing Protocol and Services

6
Course Philosophy

• We are not going to be able to cover everything
• Main goals
• Exposure to different aspects of security meant
  mainly to get your interest
• The mindset of security
• Become familiar with basic crypto, acronyms (RSA,
  SSL, PGP, etc.), and buzzwords
• Security is a process, not a product

7
Crisis

• Internet has grown very fast and security has
  lagged behind.
• Legions of hackers have emerged as impedance to
  entering the hackers club is low.
• It is hard to trace the perpetrator of cyber
  attacks since the real identities are camouflaged
• It is very hard to track down people because of
  the ubiquity of the network.
• Large scale failures of internet can have a
  catastrophic impact on the economy which relies
  heavily on electronic transactions

8
Computer Crime The Beginning

• In 1988 a "worm program" written by a college
  student shut down about 10 percent of computers
  connected to the Internet. This was the
  beginning of the era of cyber attacks
• In 1994 a 16-year-old music student called
  Richard Pryce, better known by the hacker alias
  Datastream Cowboy, is arrested and charged with
  breaking into hundreds of computers including
  those at the Griffiths Air Force base, Nasa and
  the Korean Atomic Research Institute. His online
  mentor, "Kuji", is never found.

9
1995

• In February, Kevin Mitnick is arrested for a
  second time. He is charged with stealing 20,000
  credit card numbers. He eventually spends four
  years in jail and on his release his parole
  conditions demand that he avoid contact with
  computers and mobile phones.
• On November 15, Christopher Pile becomes the
  first person to be jailed for writing and
  distributing a computer virus. Mr Pile, who
  called himself the Black Baron, was sentenced to
  18 months in jail

10
1999 and 2000

• In March, the Melissa virus goes on the rampage
  and wreaks havoc with computers worldwide. After
  a short investigation, the FBI tracks down and
  arrests the writer of the virus, a 29-year-old
  New Jersey computer programmer, David L Smith.
• In February, some of the most popular websites in
  the world such as Amazon and Yahoo are almost
  overwhelmed by being flooded with bogus requests
  for data.
• In May, the ILOVEYOU virus is unleashed and clogs
  computers worldwide. Over the coming months,
  variants of the virus are released that manage to
  catch out companies that didn't do enough to
  protect themselves.
• In October, Microsoft admits that its corporate
  network has been hacked and source code for
  future Windows products has been seen

11
(No Transcript)
12
Incidents in Indonesia

• Web Deface
• www.RedHat.or.id
• Satelindo.co.id
• Polri.go.id
• FKP.or.id
• BEJ, dst.
• http//www.2600.com
• Indonesia is no.2 for Carding
• E commerce embargo from Indonesians IP
• Difficulties in IP administration

13
Why Information Security

• Information is an economic commodity ? asset
  that must be protected
• Internet open an isolated system to the world
• Security is placed in low priority (even for
  large enterprises)
• Security is people problem

14
Security is a people problem

• Security is need because people dont behave the
  way we wish they would
• Reasons crime, malice, curiosity, stupidity,
• Security problems are here to stay
• Technical solutions can only address a part of
  the problem
• Technical measures have to be managed in a wider
  security culture
• Social engineering is a powerful attack method

15
Security is a process, not a product

• You cannot solve your security problems once and
  for all and then sit back and relax
• IT systems keep changing
• Attackers are inventive
• Threats keep changing
• new attacks, e.g. the latest Internet worm
• new security requirements, e.g. resilience
  against denial-of-service attacks
• Keep your defences up-to-date

16
Information Security (ISec)

• Covers wide array of activities in organization
• Include both product and process to prevent
  unauthorized access, modification and deletion of
  information, knowledge, data and facts.
• The protection of resources by preventing them
  from being disrupted by attack

17
ISec Primary Focus

• Three Focus
• Physical Security
• Operational Security
• Management and Policies
• Security Triad ?

18
Physical Security

• protection of the assets and information from
  physical access by unauthorized personnel
• Three components
• Making a physical location less desirable as a
  target
• Detecting penetration or theft
• Recovering from a theft or loss of critical
  information or systems

19
Operational Security

• How the organization does things includes
  computers, networks, communication systems and
  management of information
• Include access control, authentication, security
  topologies, back up and recovery plan
• One of the most effective thing to increase
  operational security ? emphasize security
  training

20
Management and Policies

• Management and Policies provide the guidance,
  rules and procedure for implementing a security
  environment
• Policies, to be effective, must have full and
  uncompromising support from the management team
• A number of key policies
• Administrative policies
• Design Requirement
• Disaster Recovery Plan
• Information Policies
• Security Policies
• Usage Policies
• User Management Policies

21

• Administrative Policies
• Lay out guideline and expectations for upgrades,
  monitoring, backup and audits
• Specific enough for system administrator and
  staff to conduct business
• Flexible enough to allow emergencies and
  unforeseen circumstances
• Design Requirement
• Outline the capabilities of the system must be
• Typically part of the initial design
• If the design not include as integral part of the
  implementation, our system have vulnerabilities

22

• Disaster Recovery Plan
• Recovery plan to enable system operation after
  disaster
• Key aspect is a comprehensive back up plan
• Sometimes need a hot site
• Information Policies
• Refer to various aspect of information security
• Include access, classification, marking and
  storage, and transmission and destruction of
  sensitive information
• Security Policies
• Security Policies define how the configuration of
  system and networks occur
• Also define how Identification and Authorization
  (IA) occurs, access control, audits and network
  connectivity
• Encryption and anti virus software usually are
  covered here
• Password selection and account expiration are
  covered as well

23

• Usage Policies
• Cover how information and resources used and lay
  down the law about computer usage
• Include statement about privacy, ownership and
  consequences of improper act
• Should clearly explain usage expectations about
  the internet and e-mail
• User Management Policies
• Various action that must occur in the normal
  course of employee activities
• Addressed how new employee are added to the
  system, training and orientation
• Updating or deleting privilege and access of
  transferred or terminated employee
• Mostly system administrator is not notified about
  personnel change

24
Security Strategy

• Prevention
• Preventing computer or information violations
  from occurring
• Ideally security procedure and policies would
  make invulnerable to an attack. Unfortunately,
  this is not the case, only lowering the like hood
  of successful attack
• Detection
• take measures so that you can detect when, how,
  and by whom an asset has been damaged
• May involve complicated tools or a simple
  examination log files

25

• Response
• Developing strategies and technique to deal with
  an attack or loss
• Better have recovery plan than on the fly
• Example Private Property
• Prevention locks at doors, window bars, walls
  round the property
• Detection stolen items are missing, burglar
  alarms, closed circuit TV
• Reaction call the police, replace stolen items,
  make an insurance claim

26

• Example E-Commerce
• Prevention encrypt your orders, rely on the
  merchant to perform checks on the caller, dont
  use the Internet (?)
• Detection an unauthorized transaction appears on
  your credit card statement
• Reaction complain, ask for a new card number,
  etc.

27
Security Objectives

• Confidentiality prevent unauthorised disclosure
  of information
• Integrity prevent unauthorised modification of
  information
• Availability prevent unauthorised with-holding
  of information or resources
• Other aspects accountability, authenticity

28

• Confidentiality
• Prevent unauthorised disclosure of information
  (prevent unauthorised reading)
• Sometimes, security and confidentiality are used
  as synonyms
• Do we want to hide the content of a document or
  its existence?
• Integrity
• prevent unauthorised modification of information
  (prevent unauthorised writing)
• Integrity in communications detection (and
  correction) of intentional and accidental
  modifications of transmitted data
• In the most general sense make sure that
  everything is as it is supposed to be the data
  in a computer system should correctly reflect
  some reality outside the computer system
• (This is highly desirable but cannot be
  guaranteed by mechanisms internal to the computer
  system.)

29

• Availability
• the property of being accessible and usable upon
  demand by an authorised entity
• Denial of Service (DoS) The prevention of
  authorised access of resources or the delaying of
  time-critical operations
• Maybe the most important aspect of computer
  security, but few methods are around
• Distributed denial of service (DDoS) receives a
  lot of attention systems are now designed to be
  more resilient against these attacks

30

• Accountability
• audit information must be selectively kept and
  protected so that actions affecting security can
  be traced to the responsible party
• Users are identified and authenticated to have a
  basis for access control decisions.
• The security system keeps an audit log (audit
  trail) of security relevant events to detect and
  investigate intrusions

31

• Medical records that are accessible on-line are
  sensitive information that should be protected
  from disclosure, but in an emergency it is highly
  desirable that whoever treats you has access to
  your record. How would you use prevention,
  detection, and recovery to secure your records