4.1.

Introduction to
Information Security
• Security can bedefined as the degree of protection
against criminal activity, danger, damage,and/or
loss.
• Information security refers to all of the processes
and policies designed to protect an organization’s
information and information systems (IS) from
unauthorized access, use, disclosure, disruption,
modification, or destruction.
• Catatan: Definisi Information Security segala usaha untuk
melindungi perangkat komputer maupun non komputer beserta
fasilitas, data, dan informasi dari penyalahgunaan oleh pihak-pihak
yang tidak berhak. Definisi tersebut melingkupi perangkat teknologi
informasi, mesin copy, fax, multimedia, termasuk dokumen kertas..
 Tujuan Pengamanan
Informasi
• Confidentiality/menjaga kerahasiaan :
melindungi data dan informasi dari keterkuakan
oleh pihak-pihak yang tidak berhak.
• Availability/menjaga ketersediaandata dan
informasi hanya untuk yang berhak
menggunakannya.
• Integrity/menjaga keakuratan: sistem informasi
menjaga penyediaan informasi yang akurat
sesuai dengan instruksi dan sistem fisik yang
melakukan pengolahan.
Five Factors Increasing the Vulnerability
of Information Resources
1. Today’s interconnected, interdependent,
wirelessly- networked business
environment
2. Smaller, faster, cheaper computers and
storage devices
3. Decreasing skills necessary to be a
hacker
4. Organized crime taking over cybercrime
5. Lack of management support
 4.2. Unintentional Threats to
Information Systems
• Human Errors
Higher level employees + greater access
privileges = greater threat. Two areas pose
significant threats: Human Resources &
Information Systems. Other areas of threats:
Contract Labor, consultants, janitors, & guards
• Social Engineering
is an attack in which the perpetrator uses social
skills to trick or manipulate legitimate employees
into providing confidential company information
such as passwords.
HUMAN ERRORS
 LAIN2 HUMAN ERROR
• Tailgating (pintu yang lupa terkunci dengan aman)
• Shoulder surfing (terlihat oleh orang lain di belakang
atau di sampingnya)
• Carelessness with laptops and portable computing
devices (menaruh laptop atau alat sejenis secara
sembarangan)
• Opening questionable s (ketidaktahuan membuka yang
tak biasa)
• Careless Internet surfing (penggunaan internet yang
kurang hati-hati/lupa sign-out, dll)
 4.3. Deliberate Threats to
Information Systems
The ten types of deliberate attacks:
• Espionage or trespass (Spionase atau pelanggaran)
• Information extortion (Pengrusakan Informasi)
• Sabotage or vandalism
• Theft of equipment or information
• Identity theft
• Compromises to intellectual property
• Software attacks
• Alien software
• Supervisory control and data acquisition (SCADA)
attacks
• Cyberterrorism and cyberwarfare
 Espionage or trespass
• Espionage or trespass (Spionase atau pelanggaran) occurs
when an unauthorized individual attempts to gain illegal
access to organizational information. It is important to
distinguish between competitive intelligence and
industrial espionage.
• Competitive intelligence consists of legal information-
gathering techniques, such as studying a company’s
Web site and press releases, attending trade shows, and
soon. In contrast, industrial espionage crosses the legal
boundary.
 Information extortion
• merekayasa informasi dari aslinya atau
merupakan jenis kejahatan yang dilakukan
dengan membuat gangguan, perusakan
atau penghancuran terhadap suatu data,
program komputer atau sistem jaringan
komputer yang terhubung dengan internet.
 Software Attacks
• Software attacks have evolved from the
early years of the computer era, when
attackers used malicious software
(Malware) to infect as many computers
worldwide as possible, to the profit-driven,
Web-based attacks of today.
• Modern cybercriminals use sophisticated,
blended malware attacks, typically via the
Web, to make money.
 (1) Remote Attacks Requiring User Action
• Virus. Segment of computer code that performs malicious actions
by attaching to another computer program.
• Worm. Segment of computer code that performs malicious actions
and will replicate, or spread, by itself (without requiring another
computer program).
• Phishing Attack. Phishing attacks use deception to acquire
sensitive personal information by masquerading as offi cial-looking
e-mails or instant messages.
• Spear Phishing Attack. Phishing attacks target large groups of
people. In spear phishing attacks, the perpetrators fi nd out as much
information about an individual as possible to improve their chances
that phishing techniques will be able to obtain sensitive, personal
• information.
 Alien software
• Many personal computers have alien software, or pestware,
running on them that the owners do not know about.
• Alien software is clandestine (rahasia) software that is
installed on your computer through duplicitous methods. It
typically is not as malicious as viruses, worms, or Trojan
horses, but it does use up valuable system resources. In
addition, it can report on your Web surfi ng habits and other
personal behavior.
• The vast majority of pestware is adware—software that
causes pop-up advertisements to appear on your screen.
• Spyware (pengintai) is software that collects personal
information about users without their consent. Two common
types of spyware are keystroke loggers and screen scrapers
• Spamware is pestware that uses your
computer as a launch pad for spammers.
Spam is unsolicited e-mail, usually
advertising for products and services.
 Cyberterrorism
• Cyberterrorism adalah bentuk extreme lain dalam
terminologi dunia modern yang melibatkan aksi-aksi
dengan teknologi untuk tujuan politis lewat aksi
kriminalitas maya seperti penyerangan sistem komputer,
networks, yang tujuannya membahayakan, merugikan
bahkan dapat menciderai kehidupan manusia dan
mengancam keamanan nasional suatu negara. Diantara
aksi mereka seperti mencari kelemahan (vulnerability)
dalam sistem kontrol transportasi (traffic control system)
target.
 Cyberwarfare
• Perang Cyber adalah aksi-aksi dunia maya yang
melibatkan penggunaan teknik hacking
komputer didasari oleh kepentingan-
kepentingan Pemerintah suatu negara untuk
tujuan-tujuan politik (ekonomi-sosial, dll) melalui
aksi-aksi spionase atau sabotase sampai
otoritas ‘system remote’ terhadap komputer
target, yang dapat merugikan dan menimbulkan
kerusakan yang signifikan.
 4.4. What Organizations Are Doing to Protect
Information Resources

• Risk analysis
• Risk mitigation
 Risk analysis
• Risk analysis involves three steps: (1)
assessing the value of each asset being
protected,(2) estimating the probability that each
asset will be compromised, and (3) comparing
the probable costs of the asset’s being
compromised with the costs of protecting that
asset. The organization then considers how to
mitigate the risk.
 Risk mitigation
• Risk mitigation, the organization takes concrete actions
against risks. Risk mitigation has two functions:
• (1) implementing controls to prevent identified threats
from occurring, and
• (2) developing a means of recovery if the threat
becomes a reality. There are several risk mitigation
strategies that organizations can adopt. The three most
common are risk acceptance, risk limitation, and risk
transference.
• Catatan:Risk Mitigation adalah proses atau langkah- langkah yang untuk
mengendalikan, mengevaluasi, pencegahan kembali dan control terhadap resiko
yang terjadi
 3 risk mitigation strategies
• Risk acceptance: Accept the potential
risk, continue operating with no controls,
and absorb any damages that occur.
• Risk limitation: Limit the risk by
implementing controls that minimize the
impact of the threat.
• Risk transference: Transfer the risk by
using other means to compensate for the
loss, such as by purchasing insurance.
 4.5. Information Security
Controls
• To protect their information assets, organizations
implement controls, or defense mechanisms
(also called countermeasures). These controls
are designed to protect all of the components of
an information system, including data, software,
hardware, and networks.
• Three major types of controls:
physical controls, access controls, and
communications controls.
Physical controls
• Physical controls prevent unauthorized individuals from
gaining access to a company’s facilities. Common
physical controls include walls, doors, fencing, gates,
locks, badges,guards, and alarm systems. More
sophisticated physical controls include pressure sensors,
temperature sensors, and motion detectors.
• Access controls restrict unauthorized individuals from
using information resources. These controls involve two
major functions: authentication and authorization.
• Communications (network) controls secure the
movement of data across networks. Communications
controls consist of firewalls, anti-malware systems,
whitelisting and blacklisting, encryption, virtual private
networking, secure socket layer, and vulnerability
management systems.
Selesai