security - Binus Repository
Download
Report
Transcript security - Binus Repository
Matakuliah
Tahun
Versi
: F0662/Web Based Accounting
: 2005
: 1/0
Pertemuan 5
Human Factors of Risks in e-Business
1
Learning Outcomes
Pada akhir pertemuan, diharapkan mahasiswa
akan mampu :
• Menjelaskan bahwa human factors adalah
merupakan salah satu faktor yang bersifat
weak link (TIK-5)
• Menjelaskan how to anticipating and
managing the e-Business Risks (TIK-5)
2
Outline Materi
• Materi 1 The human factors adalah
merupakan salah satu faktor yang
bersifat weak link
• Materi 2 How to anticipating and
managing the e-Business Risks.
3
Human Factors in e-Business
• People, the weak link in e-busines
• Responsible Personnel
• Action Plan for Breach of Security
4
System Independencies
• E-Business often involves highly
interdependent partnerships with
customers, suppliers, and various
electronic service providers.
5
Anticipating & Managing Risks
• The most dangerous risk category is what
we might call emergent risks: threats that
have yet to be identified.
• Sometimes a “Patch” creates more “Holes”
• 10 Best Practices list for e-commerce self
defence released by AICPA.
6
Frequent Security Incidents
• The vast majority of calls I get are in regard to a
“hacking incident”
• Almost of these incidents are on Internet-connected
machines
7
Frequent Security Incidents
• Most incidents are precipitated by:
– An external complaint (your mail server is sending
me a lot of spam e-mail)
– A change in the system (the hard drive is full,
strange new programs are running, tape backups
are taking a lot longer)
– The Internet is “slow” or we see strange activity
– A threat from an insider – usually a network
administrator making casual statements about how
they could “take them out” if they ever got fired
8
Frequent Security Incidents
• Many complaints focus on inappropriate use of
company technology:
– Employees looking at pornography at work
– A user is suspected of having “hacking” tools
– Suspected theft of trade secrets / proprietary info
9
Frequent Security Incidents
• Another frequent event is an “employee termination”
scenario:
–
–
–
–
Employee is usually a computer administrator
Employee has extensive access to many systems
Employee is a “troublemaker”
Employer wishes help in terminating the employee,
and wants to remove their access FIRST before firing
him
– Typically involves a lot of brainstorming to identify all
possible points of ingress to the computing
environment
10
Breaching
• Enterprises spend millions to protect
themselves from the threat of computer
sabotage/breach. Internal staff member is
one the potential or can be suspected to
be part of the breach problem.
11
Breaching
Based on the experience (at least by Bank Central
Asia, Indonesia), 70 % of network security breach is
because of procedural aspect. 30% of the attacks
are partly technical aspects, such as the information
systems infrastructure, security tools. On the other
hand, BCA statistic represents that 62% was internal
attacks and 38% was (1996, when BCA used the
intranet), and after using internet 41% to 59%
(2000), and 30% to 70% (2001). Auditing,
management controls and awareness are key points
as security building blocks.
12
Breach by Internal Staff
([email protected], 2002)
Types of security breaches
• Not-entitled users accessing resources 57%
• Accounts left open after staff left company 43%
• Victim of information theft from your network 30%
• Access to contractors not terminated upon project
completion 27%
• Attempted or successful break-in by angry
employee 21%
13
Breach Typical Scenario
• Angry employee (21%) is one of the most illegal but very
difficult to anticipate breaches.
• The introverted style of Information Technology staff.
• The frustrated situation in a project activity, or because
of an overloaded.
• Trust too much to information technology staff so that he
or she has the possibility to conduct a breach.
• No clear security policy in a company or organization.
• Password or IDs that are not deleted for ex-staff.
• The management controls or the internal audit is not
effective.
14
Company Response to Breach
• Enterprise response, auditing and discovery solutions provide
an integrated platform to respond to enterprise incidents and
threats provide the following benefits:
• Accelerate response time to information security breaches.
• Empower enterprise to better control assets & infrastructure.
• Conduct comprehensive investigations and audits.
• Reduce the potential liability from misuse of corporate
information and assets
• Eliminate costly and archaic investigation/auditing procedures
• Increase information systems’ reliability and availability by
conducting investigations while systems are online.
15
An Impersonal World
• There are really two different types of computer security
incidents – personal and impersonal
• In my work, they are almost always impersonal hacking
attacks, not someone who intentionally targeted the victim
• Most hackers could care less who you are, or what sensitive
information you have, they simply want to control an Internetconnected server
16
An Impersonal World
• Usually this access is used in a few ways:
– To commit crimes, using you as the staging point
– To share questionable material, using your Internet
connection and server space (the “warez”server)
– To access questionable material, using you as a relay to
hide their origin (frequently porn)
– To use you as a SPAM relay to send junk e-mail to
thousands of people
17
How Hacking Happens
• Hacking is generally possible due to a vulnerability or a misconfiguration in some server or device
• Vulnerabilities exist, and are constantly discovered, in all
types of systems by hackers and “white hats”
• Patches are released, but rarely applied due to lack of
resources, awareness, or just plain apathy
• Case in point – the latest major Internet worm called
“slammer” took advantage of a hole that has had a software
fix for over a year!
18
How Hacking Happens
• Hacking also occurs due to a variety of mis-configuration
issues such as:
– Not using a firewall to restrict access from the Internet
– Running programs that are not necessary
– Poor passwords, default passwords
– Default configurations
19
Understanding Networks
20
Understanding Networks
• The example given previously is an example of “best practices” in
network design, and provides some defense against Internet attacks
• Many (most?) organizations do not have an adequate network
design, and have significant risk from the Net
• Even the BEST network design can’t protect a machine that is
insecure!
21
Understanding Networks
• Each machine that can talk to the Internet has a unique identifier
called an “IP Address”
• IP addresses are sometimes static, and sometimes change
frequently (especially for dial-up users)
• Regardless, tracking IP addresses is frequently our only recourse
to track network attacks
• For example, if the IP address of a hacker can be tracked to AOL, it
is then possible to obtain further info from AOL through legal action
22
Types of Investigation
• Once a call comes in requesting help in investigation, the
engineer is dispatched on-site
• The first (and perhaps most important) step is discuss the
situation with the victim before doing any work
• There are basically three ways to approach an investigation:
– “Pull the Plug” – don’t touch the machine
– “Limited Investigation” – tread lightly
– “Extensive Investigation” – heavy footprint
23
Types of Investigation
• Each of these approaches have advantages and
disadvantages, depending on your goals
• The most important question to ask is how strongly the
customer feels about trying to prosecute
• The second most important question to ask is how much $$
they have to spend
24
“Pull the Plug”
• Used when a company is VERY intent on prosecution and
does not want to risk any tampering w/ evidence
• As the title implies, the only investigation physically performed
on the target system would be to pull the power and network
cords
• This is highly disruptive and expensive, as the server is no
longer available
25
“Pull the Plug”
• There are also potential immediate results (you might miss
evidence that would lead you to investigate other systems, for
example)
• There is also no opportunity to examine the “state” of the
machine that will be lost when turned off:
– Which programs are running
– Current network connections
• Investigation of other data sources should still be performed
(for all types)
26
Unclassified
Information
Information Information
Technology
Information
Information Technology
Information
Technology
Information
Information Technology
Information
Technology
Security
Information
Information
Information
Technology
Technology
Security
Information
Technology
Information
Information
Security
Technology
Technology
Technology
Security
Contingency
Information
Technology
Information
Security
Technology
Fire
Technology
Technology
Security
Security
Security
Information
Information
Information
Technology
Security
Technology
Security
Security
Information
Information
Management
Security
Information
Security
Financial
Technology
Protection
Technology
Security
Security
Technology
Information
Information
Technology
Technology
Information
Security
Security
Technology
Information
Information
Technology
Information
Technology
Management
Security
Security
Information
Security
Technology
Information
Environmental
Technology
Information Security
Technology
Security
Information
Technology
Security
Information
Technology
BP Areas
Information
Security
Information Security
Technology
Information
Information
Technology
Information
Security
Technology
Information
Controls
Technology
Security
Information Security
Information
Technology
Technology
Security
Information
Technology
Security
Information
Technology
Information Security
Technology Technology
Security
Technology
Personnel
Technology
Security
Operations
Information
Technology
Information
Security
Technology
Technology
Security
Security
Security
Information
Information Security
Security
Technology
Security
Technology
Security
Information
Management
Security
Management
Security
Technology
Technology
Security
Security
Information
Audit
Technology
Security
Security
Risk
Technology
Security
Security
Critical Infrastructure
Accreditation
Security
Management
Security
Sectors
BSPs
27
Unclassified
•
•
•
•
Some of the universal dos/don’ts that govern us are:
The road block, or, “do not all eggs in one basket”.
The reactionary, or, shutting the gate once the horse has bolted
The patchwork quilts, or divide and fall. Myth, if you buy the best
security products on the market then you is less likely to suffer a
security breach.
• The Plate Spinner, or, too much to manage. The key to effective
security is vision, the ability to monitor all areas simultaneously, set
up alerts to irregular activity.
• The Agoraphobic, or, too paranoid about what’s outside. Fear of
external threats is understandable, but that’s no reason to put all
your effort into fending off the wolf at your door. Most accidents
happen in the home; internal users or ex-staff commits by far the
majority of security breaches. A recent Meta report highlighted that,
over the lifecycle of an employee, he or she has 17 user Ids,
however, when employees leave only eleven user Ids are ever
deleted.
28
REFERENCES
•
Cari artikel tentang security/ breaching dalam e-Business dari sumber-sumber antara lain:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
http://www.entrepreneur.com/
http://www.oleran.com/security.htm
http://www.genuity.com/services/security/
http://www.unisys.com/
http://www.macroint.com/
http://www.vigilinx.com/
http://www.avatier.com/
http://www.echelonsystems.com/security
http://news.com.com/
http://www.madison-gurkha.com/serv_security
http://www.cai.com/
http://www.digitalresearch.com/digitalresearch/company/
http://chancellor.ucdavis.edu/
http://www.online-edge.co.uk/
http://www.activis.com/
http://www.guidancesoftware.com/
http://www.informationweek.com/
http://www.escrowconsulting.com/
http://www.shake.net/
29
Summary
• Mahasiswa diwajibkan membuat summary
30