Security System 1 - 01

8/14/2019 Security System 1 - 01

1/38

#1


2/38

AGENDA

Class Agreements

Aspects of Computer Security

Aspects of Security Threat

Security Methods


3/38

CLASS AGREEMENTS

LECTURER:

IR. HARRY T.Y ACHSAN, M.KOM

[email protected]

(021) 7150 8843

0818 0854 0094
mailto:[email protected]:[email protected]


4/38

CLASS AGREEMENTS

ASSESMENT

Activity in class 40%

Home works/Quizzes 20%

Mid Term 15%

Final Exam 25%

REFERENCE


5/38

CLASS AGREEMENTS

OPEN BOOK (selalu & always)

so, you have to have the reference book

CHEATING

Mencontek/dicontek sama-sama

mendapat penghargaan nilai 10 !!!


6/38

Why is the computer security

important? *) Computer security is the process of

preventing and detecting unauthorized useof a computer.

Prevention measures help us to stopunauthorized users (also known as"intruders") from accessing any part of ourcomputer system. Detection helps us todetermine whether or not someoneattempted to break into our system, if theywere successful, and what they may havedone.

* htt ://www.armor2net.com/knowled e/com uter securit .htm


7/38


important? We use computers for everything from

banking and investing to shopping andcommunicating with others through emailor chat programs. Although we may notconsider our communications "top secret,"we probably do not want strangers readingour email, using our computer to attackother systems, sending forged email from

our computers, or examining personalinformation stored on your computer (suchas financial statements).


8/38


important?

Intruders (also referred to as hackers,

attackers, or crackers) may not care

about your identity. Often they want to

gain control of your computer so theycan use it to launch attacks on other

computer systems.


9/38


important?

Having control of your computer gives

them the ability to hide their true location

as they launch attacks, often against

high-profile computer systems such asgovernment or financial systems. Even if

you have a computer connected to the

Internet only to play the latest games orto send email to friends and family, your

computer may be a target.


10/38


important?

Intruders may be able to watch all your

actions on the computer, or cause

damage to your computer by

reformatting your hard drive or changingyour data.


11/38


important?

Unfortunately, intruders are always

discovering new vulnerabilities

(informally called "holes") to exploit in

computer software. The complexity ofsoftware makes it increasingly difficult to

thoroughly test the security of computer

systems.


12/38


important?

Also, some software applications havedefault settings that allow other users toaccess your computer unless you

change the settings to be more secure.Examples include chat programs that letoutsiders execute commands on yourcomputer or web browsers that could

allow someone to place harmfulprograms on your computer that runwhen you click on them.


13/38


Authentication

Authentication is the process of

determining whether someone or

something is, in fact, who or what it isdeclared to be.

In private and public computer networks

(including the Internet), authentication iscommonly done through the use of

logon passwords.
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211621,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212499,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212499,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211621,00.html


14/38


Authentication

Knowledge of the password is assumed toguarantee that the user is authentic. Eachuser registers initially (or is registered by

someone else), using an assigned or self-declared password. On each subsequentuse, the user must know and use thepreviously declared password. Theweakness in this system for transactionsthat are significant (such as the exchangeof money) is that passwords can often bestolen, accidentally revealed, or forgotten.


15/38


Authentication

For this reason, Internet business andmany other transactions require a morestringent authentication process. The use

ofdigital certificates issued and verified bya Certificate Authority (CA) as part of apublic key infrastructure is considered likelyto become the standard way to performauthentication on the Internet.

Logically, authentication precedesauthorization (although they may oftenseem to be combined).
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213831,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214299,00.htmlhttp://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci211622,00.htmlhttp://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci211622,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214299,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213831,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.html


16/38


Integrity

Assurance that the data being accessed

or read has neither been tampered with,

nor been altered or damaged through asystemerror, since the time of the last

authorized access.

http://www.infogix.com/information_integrity_defined
http://www.businessdictionary.com/definition/assurance.htmlhttp://www.businessdictionary.com/definition/data.htmlhttp://www.businessdictionary.com/definition/system.htmlhttp://www.businessdictionary.com/definition/error.htmlhttp://www.businessdictionary.com/definition/access.htmlhttp://www.businessdictionary.com/definition/access.htmlhttp://www.businessdictionary.com/definition/error.htmlhttp://www.businessdictionary.com/definition/system.htmlhttp://www.businessdictionary.com/definition/data.htmlhttp://www.businessdictionary.com/definition/assurance.htmlhttp://www.businessdictionary.com/definition/assurance.html


17/38


18/38


Integrity

Information Integrity is a prerequisite for

many other information management

initiatives. If the underlying informationisnt of a sufficient level of integrity, the

success of business activities relying on

the information will be limited.

Example: Threats to information integrity
http://www.thehindubusinessline.com/businessline/iw/2001/07/08/stories/0808h01v.htmhttp://www.thehindubusinessline.com/businessline/iw/2001/07/08/stories/0808h01v.htm


19/38


Nonrepudiation

In reference to digital security,nonrepudiation means to ensure that a

transferred message has been sent andreceived by the parties claiming to havesent and received the message.Nonrepudiation is a way to guarantee thatthe sender of a message cannot later denyhaving sent the message and that therecipient cannot deny having received themessage.

http://www.webopedia.com/TERM/N/nonrepudiation.html


20/38


Nonrepudiation

Nonrepudiation can be obtained throughthe use of: digital signatures (digital certificates, a form of

public key infrastructure) -- function as a uniqueidentifier for an individual, much like a writtensignature.

confirmation services -- the message transferagent can create digital receipts to indicated that

messages were sent and/or received. timestamps -- timestamps contain the date and

time a document was composed and proves thata document existed at a certain time.
http://www.webopedia.com/TERM/N/digital_signature.htmlhttp://en.wikipedia.org/wiki/Digital_certificateshttp://en.wikipedia.org/wiki/Public_key_infrastructurehttp://www.webopedia.com/TERM/N/MTA.htmlhttp://www.webopedia.com/TERM/N/MTA.htmlhttp://www.webopedia.com/TERM/N/MTA.htmlhttp://www.webopedia.com/TERM/N/MTA.htmlhttp://en.wikipedia.org/wiki/Public_key_infrastructurehttp://en.wikipedia.org/wiki/Digital_certificateshttp://www.webopedia.com/TERM/N/digital_signature.html


21/38


Authority

An unauthorized user can not altered/

modified information reside in the

computer network.


22/38


Confidentiality

Confidentiality has been defined by theInternational Organization for

Standardization (ISO) as "ensuring thatinformation is accessible only to thoseauthorized to have access" and is one ofthe cornerstones ofinformation security.Confidentiality is one of the design goalsfor many cryptosystems, made possible inpractice by the techniques of moderncryptography.
http://en.wikipedia.org/wiki/International_Organization_for_Standardizationhttp://en.wikipedia.org/wiki/International_Organization_for_Standardizationhttp://en.wikipedia.org/wiki/Information_securityhttp://en.wikipedia.org/wiki/Cryptosystemhttp://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/Cryptosystemhttp://en.wikipedia.org/wiki/Information_securityhttp://en.wikipedia.org/wiki/International_Organization_for_Standardizationhttp://en.wikipedia.org/wiki/International_Organization_for_Standardization


23/38


Privacy

Privacy is the ability of an individual orgroup to seclude themselves or information

about themselves and thereby revealthemselves selectively.

The boundaries and content of what isconsidered private differ among cultures

and individuals, but share basic commonthemes. Privacy is sometimes related toanonymity, the wish to remain unnoticed orunidentified in the public realm.
http://en.wikipedia.org/wiki/Anonymityhttp://en.wikipedia.org/wiki/Anonymity


24/38


Privacy

When something is private to aperson, itusually means there is something within themthat is considered inherently special or

personally sensitive. The degree to whichprivate information is exposed thereforedepends on how the public will receive thisinformation, which differs between places and

over time. Privacy can be seen as an aspect ofsecurity one in which trade-offs betweenthe interests of one group and another canbecome particularly clear.
http://en.wikipedia.org/wiki/Securityhttp://en.wikipedia.org/wiki/Security


25/38


Privacy

The right against unsanctioned invasion of privacy bythe government, corporations orindividuals is part ofmany countries' privacy laws, and in some cases,constitutions. Almost all countries have laws which in

some way limit privacy; an example of this would belaw concerning taxation, which normally require thesharing of information about personal income orearnings. In some countries individual privacy mayconflict with freedom of speech laws and some lawsmay require public disclosure of information whichwould be considered private in other countries andcultures.
http://en.wikipedia.org/wiki/Governmenthttp://en.wikipedia.org/wiki/Corporationhttp://en.wikipedia.org/wiki/Individualhttp://en.wikipedia.org/wiki/Privacyhttp://en.wikipedia.org/wiki/Constitutionhttp://en.wikipedia.org/wiki/Taxationhttp://en.wikipedia.org/wiki/Earningshttp://en.wikipedia.org/wiki/Freedom_of_speechhttp://en.wikipedia.org/wiki/Freedom_of_speechhttp://en.wikipedia.org/wiki/Earningshttp://en.wikipedia.org/wiki/Taxationhttp://en.wikipedia.org/wiki/Constitutionhttp://en.wikipedia.org/wiki/Privacyhttp://en.wikipedia.org/wiki/Individualhttp://en.wikipedia.org/wiki/Corporationhttp://en.wikipedia.org/wiki/Government


26/38


Privacy Privacy may be voluntarily sacrificed, normally inexchange for perceived benefits and very often withspecific dangers and losses, although this is a verystrategic view of human relationships. Academics

who are economists, evolutionary theorists, andresearch psychologists describe revealing privacy asa 'voluntary sacrifice', where sweepstakes orcompetitions are involved. In the business world, aperson may give personal details (often foradvertising purposes) in order to enter a gamble of

winning a prize. Information which is voluntarilyshared and is later stolen or misused can lead toidentity theft.
http://en.wikipedia.org/wiki/Advertisinghttp://en.wikipedia.org/wiki/Identity_thefthttp://en.wikipedia.org/wiki/Identity_thefthttp://en.wikipedia.org/wiki/Advertising


27/38


Availability

Information availability is alwaysvulnerable to the unexpected, such as

human error, severe weather, naturaldisasters, disruptions to electrical orcommunications networks, as well asman-made disasters. Even a minor

disruption to business operations can bedevastating, which is why developing aninformation availability plan is essential.


28/38


Access CotrolAccess control is the ability to permit or denythe use of a particular resource by a particularentity.

Access control mechanisms can be used inmanaging physical resources (such as amovie theater, to which only ticketholdersshould be admitted), logical resources (a bankaccount, with a limited number of people

authorized to make a withdrawal), or digitalresources (for example, a private textdocument on a computer, which only certainusers should be able to read).

http://en.wikipedia.org/wiki/Access_control#Computer_security
http://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Access_control


29/38


Access Cotrol

In computer security, access control

includes authentication, authorization

and audit. It also includes measuressuch as physical devices, including

biometric scans and metal locks, hidden

paths, digital signatures, encryption,social barriers, and monitoring by

humans and automated systems.

http://en.wikipedia.org/wiki/Computer_securityhttp://en.wikipedia.org/wiki/Authenticationhttp://en.wikipedia.org/wiki/Authorizationhttp://en.wikipedia.org/wiki/Audit_trailhttp://en.wikipedia.org/wiki/Lock_(device)http://en.wikipedia.org/wiki/Digital_signaturehttp://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Digital_signaturehttp://en.wikipedia.org/wiki/Lock_(device)http://en.wikipedia.org/wiki/Audit_trailhttp://en.wikipedia.org/wiki/Authorizationhttp://en.wikipedia.org/wiki/Authenticationhttp://en.wikipedia.org/wiki/Computer_security


30/38


31/38


Access Cotrol

Subjects and objects should both be

considered as software entities, rather

than as human users: any human usercan only have an effect on the system

via the software entities that they

control.

http://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Access_control


32/38


Access Cotrol

Although some systems equate subjectswith user IDs, so that all processes

started by a user by default have thesame authority, this level of control is notfine-grained enough to satisfy thePrinciple of least privilege, and arguably

is responsible for the prevalence ofmalware in such systems (see computerinsecurity).

http://en.wikipedia.org/wiki/Principle_of_least_privilegehttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Computer_insecurityhttp://en.wikipedia.org/wiki/Computer_insecurityhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Computer_insecurityhttp://en.wikipedia.org/wiki/Computer_insecurityhttp://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Principle_of_least_privilege


33/38


34/38

INTERUPTION


35/38

INTERCEPTION

Hackers are constantly working

to update their attack tools,techniques and methods to find

new ways to break into

databases, networks and PCs.

Track their progress and the work

of cybercrime investigators with

hacking groups, hacker sites and

the hacker underground.


36/38


37/38

FABRICATION

These days, a phishing attack is almost

indistinguishable from the real thing.The result: unwitting employees disclosing

confidential information, from passwords to

financial data, to ill-intentioned intruders.

Unable to identify fraudulent websites and

counterfeit email messages, these internal

workers are essentially opening a

companys closed doors to criminals.

No wonder spear phishing attempts

are exploding in number. The

Symantec Probe Network detected a

total of 166,248 unique phishingmessages, a six percent increase

over the first six months of 2006.

And Symantec blocked over 1.5

billion phishing messages, an

increase of 19 percent over the first

half of 2006.


38/38

Documents

Security System 1 - 01