Anda di halaman 1dari 25

Pengendalian Sistem Informasi (1)

Main topic:
KONSEP DASAR KEAMANAN INFORMASI

PREVENTIVE, DETECTIVE, CORRECTIVE

1577.ws

Karakteristik Informasi
Relevance

sesuai dengan kondisi yang ada

Reliable

handal

Completeness

lengkap

Timeliness

tepat waktu pada saat diperlukan

Understandability

mudah dipahami

Verifiability

adanya unsur pengecekan

Accessibility

ada saat diperlukan


1577.ws

Kehandalan Sistem

AVAILABILITY

PROCESSING INTEGRITY

PRIVACY

CONFIDENTIALITY

SYSTEMS
RELIABILITY

Pendukung kehandalan sistem:


Kerahasiaan informasi
Aspek privacy terpenuhi
Integritas pengolahan data
Sistem tersedia
Keamanan akses dan data pada
sistem (informasi rahasia & data
konsumen) dari:

Unauthorized transaction
Unauthorized acces
Virus & worms

SECURITY
1577.ws

Konsep Dasar Keamanan Informasi

3 konsep:
MERUPAKAN MANAGEMENT ISSUE

TIME-BASED MODEL of SeCURITY

DeFENSE in DEPTH

1577.ws

Keamanan Informasi Merupakan Isu Manajemen

Manajemen bertanggung jawab terhadap pengendalian


terhadap keamanan informasi, teknologi hanya sebagai
implikasi kebijakan manajemen
Tanggung jawab manajemen terkait keamanan informasi
(pendekatan trust services), meliputi:

Kebijakan pembuatan dan pengembangan


Keefektifan komunikasi dalam menjalankan kebijakan
Menerapkan desain dan pengendalian yang tepat
Memonitor system (mengoreksi dan menyelaraskan)

1577.ws

Time-Based ModeL of Security

The time-based model of security berfokus


pada implementasi perhitungan waktu untuk
preventive, detective, corrective control
3 Variables:
P

= ketahanan waktu maksimal dari preventive control


D = waktu untuk mendeteksi suatu gangguan
C = waktu untuk memperbaiki gangguan

Keamanan yang Efektif P > (D+C)

1577.ws

TIME-BASED MODEL OF
SECURITY
Example:

So lets assume that P = 15 min., D = 5 min., and C = 8 min.


At our starting point, P (D + C) = 15 (5 + 8) = 2 min.
With Measure 1, P is increased by 5 minutes:
20 (5 + 8) = 7 min.
With Measure 2, D is decreased by 3 minutes:
15 (2 + 8) = 5 min.
With Measure 3, C is decreased by 5 min.
15 (5 + 3) = 7 min.
With Measure 4, P is increased by 3 minutes and C is reduced
by 3 min.
18 (5 + 5) = 8 min.
The most cost-effective choice
would therefore be Measure 4

1577.ws

Defense in Depth

PREVENTIVE CONTROL, meliputi:

Authentication controls (passwords, tokens, biometrics)


Authorization controls (access control)
Training
Physical access controls (locks, guards, biometric devices)
Remote access controls
Host and application hardening procedures
Encryption

Detective controls, meliputi:

Log analysis
Intrusion detection systems
Managerial reports
Security testing

Corrective controls include:


Computer emergency response teams
Chief Security Officer (CSO)
Patch Management

1577.ws

Preventive ControL

Authentication dan Authorization


Authentication
: Person vs devices
Authorization : person vs acces

Media authentication:
they know, such as passwords or PINs.
they have, such as smart cards or ID badges.
Some physical characteristic (biometric identifier),
such as fingerprints or voice.

1577.ws

Passwords
Kriteria Pasword:
Length
Multiple character types
Random
Secret
Jadi bagaimana pasword yang efektif??

1577.ws

Kekurangan media authentication

Passwords
Dapat ditebak, hilang, dll

Physical identification techniques


Dapat hilang, dapat diduplikasi, dapat dicuri

Biometric techniques
mahal

1577.ws

Preventive Control

Training
Control Physical Access
Control Remote Access
Hardening
Encryption

1577.ws

Training

Training
first layer of preventive control
trol Physical Access
ntrol Remote Access
Hardening
Encryption

Diberi pelatihan dan pemahaman agar:


Tidak membuka e-mail sembarangan
Menggunakan software sesuai ketentuan
Menjaga kerahasiaan password
Melindungi data (physically)
1577.ws

ControL PhysicaL Access

Training
trol Physical Access
second layer of preventive control
ntrol Remote Access
Ancaman perlindungan fisik data dan informasi:
Hardening
Keystroke loggers >>> mengcapture semua
informasi yang masuk (log in)
Encryption
Kemudahan pengkopian data

Pencurian hard disk


Removable media

Pengamanan Fisik:
Penguncian otomatis
Seleksi oleh receptionist (ID card)
CCTV
Alarm
Akses khusus (alat, password)
Kabel jaringan tidak ter-expose
1577.ws

ControLLing Remote Access

Training third layer of preventive control


rol Physical Access
Tools-nya
rol Remote Access
Border Router
Hardening
Firewall
Encryption
Demilitarized Zone (DMZ)

1577.ws

PREVENTIVE
CONTROLS
A device called a border router
connects an organizations
information system to the Internet.
Behind the border router is the
main firewall, either a specialpurpose hardware device or
software running on a general
purpose computer
Web servers and email servers are
placed in a separate network called
the demilitarized zone (DMZ),
because it sits outside the
corporate network but is
accessible from the Internet.

1577.ws

Host and Application Hardening

Training fourth layer of preventive control


rol Physical Access
Setiap program mempunyai kelemahan
trol Remote Access
Hardening (vulnerabilities)
Encryption Optional program yang tidak berguna
didisable-kan (hardening).

1577.ws

Encryption

Training Final layer of preventive control


rol
Physical
Access
rolHardening
Remote Access
Yang mempengaruhi kekuatan
Encryption enkripsi:

Key length
Key management policies
The nature of the encryption
algorithm

1577.ws

Plaintext

This is a
contract
for . . .

PREVENTIVE
CONTROLS

Key

Encryption
algorithm

Ciphertext

Xb&j &m 2
ep0%fg . . .

Key

Decryption
algorithm

Plaintext

This is a
contract
for . . .

Encryption is the
process of transforming
normal text, called
plaintext, into
unreadable gibberish,
called ciphertext.
Decryption reverses
this process.
To encrypt or decrypt,
both a key and an
algorithm are needed.
1577.ws

Tipe Encryption

Tipe Enkripsi:

Symmetric encryption systems


KELEBIHAN:
Lebih cepat dari enkripsi asimetrik
KEKURANGAN:

Diperlukan adanya sinkronisasi kode

Karena kode enkripsi yang dimiliki kedua pihak sama, maka


sulit untuk dibuktikan siapa yang bertanggung jawab jika terjadi
masalah.

Asymmetric encryption systems

The public key is publicly available.


The private key is kept secret and known only to the
owner of that pair of keys
Kedua-duanya bisa digunakan
1577.ws

PREVENTIVE CONTROLS

Hashing
Hashing

takes plaintext of any length and transforms


it into a short code called a hash.
SHA-256 creates 256 bit hash regardless of text
length.
Hashing differs from encryption in that:

Encryption always produces ciphertext similar in length to the


plaintext, but hashing produces a hash of a fixed short
length.
Encryption is reversible, but hashing is not; you cannot
transform a hash back into its original plaintext.

1577.ws

DETECTIVE CONTROLS
Preventive controls are never 100%
effective in blocking all attacks.
So organizations implement detective
controls to enhance security by:

Monitoring

the effectiveness of preventive


controls; and
Detecting incidents in which preventive
controls have been circumvented.

1577.ws

DETECTIVE CONTROLS

Authentication and authorization controls (both


preventive and detective) govern access to the system
and limit the actions that can be performed by authorized
users.
Actual system use (detective control) must be examined
to assess compliance through:

Log analysis
Intrusion detection systems
Managerial reports
Periodically testing the effectiveness of existing security
procedures

1577.ws

CORRECTIVE CONTROLS

Three key components that satisfy the


preceding criteria are:
Establishment

of a computer emergency
response team.
Designation of a specific individual with
organization-wide responsibility for security.
An organized patch management system.

1577.ws

Terima Kasih

Jakarta, 15 November 2011


1577.ws