pertemuan 5 human factors of risks in e-business
DESCRIPTION
Pertemuan 5 Human Factors of Risks in e-Business. Matakuliah: F0662/Web Based Accounting Tahun: 2005 Versi: 1/0. Learning Outcomes. Pada akhir pertemuan, diharapkan mahasiswa akan mampu : - PowerPoint PPT PresentationTRANSCRIPT
1
Pertemuan 5Human Factors of Risks in e-Business
Matakuliah : F0662/Web Based AccountingTahun : 2005Versi : 1/0
2
Learning Outcomes
Pada akhir pertemuan, diharapkan mahasiswa akan mampu :• Menjelaskan bahwa human factors adalah
merupakan salah satu faktor yang bersifat weak link (TIK-5)
• Menjelaskan how to anticipating and managing the e-Business Risks (TIK-5)
3
Outline Materi
• Materi 1 The human factors adalah merupakan salah satu faktor yang bersifat weak link
• Materi 2 How to anticipating and managing the e-Business Risks.
4
Human Factors in e-Business
• People, the weak link in e-busines• Responsible Personnel• Action Plan for Breach of Security
5
System Independencies
• E-Business often involves highly interdependent partnerships with customers, suppliers, and various electronic service providers.
6
Anticipating & Managing Risks
• The most dangerous risk category is what we might call emergent risks: threats that have yet to be identified.
• Sometimes a “Patch” creates more “Holes”• 10 Best Practices list for e-commerce self
defence released by AICPA.
7
Frequent Security Incidents• The vast majority of calls I get are in regard to a
“hacking incident” • Almost of these incidents are on Internet-connected
machines
8
Frequent Security Incidents• Most incidents are precipitated by:
– An external complaint (your mail server is sending me a lot of spam e-mail)
– A change in the system (the hard drive is full, strange new programs are running, tape backups are taking a lot longer)
– The Internet is “slow” or we see strange activity– A threat from an insider – usually a network
administrator making casual statements about how they could “take them out” if they ever got fired
9
Frequent Security Incidents• Many complaints focus on inappropriate use of
company technology:– Employees looking at pornography at work– A user is suspected of having “hacking” tools– Suspected theft of trade secrets / proprietary info
10
Frequent Security Incidents
• Another frequent event is an “employee termination” scenario:– Employee is usually a computer administrator– Employee has extensive access to many systems– Employee is a “troublemaker” – Employer wishes help in terminating the employee,
and wants to remove their access FIRST before firing him
– Typically involves a lot of brainstorming to identify all possible points of ingress to the computing environment
11
Breaching
• Enterprises spend millions to protect themselves from the threat of computer sabotage/breach. Internal staff member is one the potential or can be suspected to be part of the breach problem.
12
Breaching
Based on the experience (at least by Bank Central Asia, Indonesia), 70 % of network security breach is because of procedural aspect. 30% of the attacks are partly technical aspects, such as the information systems infrastructure, security tools. On the other hand, BCA statistic represents that 62% was internal attacks and 38% was (1996, when BCA used the intranet), and after using internet 41% to 59% (2000), and 30% to 70% (2001). Auditing, management controls and awareness are key points as security building blocks.
13
Breach by Internal Staff([email protected], 2002)
Types of security breaches • Not-entitled users accessing resources 57%• Accounts left open after staff left company 43%• Victim of information theft from your network 30%• Access to contractors not terminated upon project
completion 27%• Attempted or successful break-in by angry
employee 21%
14
Breach Typical Scenario
• Angry employee (21%) is one of the most illegal but very difficult to anticipate breaches.
• The introverted style of Information Technology staff.• The frustrated situation in a project activity, or because
of an overloaded.• Trust too much to information technology staff so that he
or she has the possibility to conduct a breach.• No clear security policy in a company or organization.• Password or IDs that are not deleted for ex-staff.• The management controls or the internal audit is not
effective.
15
Company Response to Breach
• Enterprise response, auditing and discovery solutions provide an integrated platform to respond to enterprise incidents and threats provide the following benefits:
• Accelerate response time to information security breaches.• Empower enterprise to better control assets & infrastructure.• Conduct comprehensive investigations and audits.• Reduce the potential liability from misuse of corporate
information and assets• Eliminate costly and archaic investigation/auditing procedures• Increase information systems’ reliability and availability by
conducting investigations while systems are online.
16
An Impersonal World
• There are really two different types of computer security incidents – personal and impersonal
• In my work, they are almost always impersonal hacking attacks, not someone who intentionally targeted the victim
• Most hackers could care less who you are, or what sensitive information you have, they simply want to control an Internet-connected server
17
An Impersonal World
• Usually this access is used in a few ways:– To commit crimes, using you as the staging point– To share questionable material, using your Internet
connection and server space (the “warez”server)– To access questionable material, using you as a relay to
hide their origin (frequently porn)– To use you as a SPAM relay to send junk e-mail to
thousands of people
18
How Hacking Happens
• Hacking is generally possible due to a vulnerability or a mis-configuration in some server or device
• Vulnerabilities exist, and are constantly discovered, in all types of systems by hackers and “white hats”
• Patches are released, but rarely applied due to lack of resources, awareness, or just plain apathy
• Case in point – the latest major Internet worm called “slammer” took advantage of a hole that has had a software fix for over a year!
19
How Hacking Happens
• Hacking also occurs due to a variety of mis-configuration issues such as:– Not using a firewall to restrict access from the Internet– Running programs that are not necessary– Poor passwords, default passwords– Default configurations
20
Understanding Networks
Internal Network(Protected Machines)
DMZ Network(Internet Accessible Machines)
The Internet
Bad Person
Good Person
Company Firewall
Exchange e-Mail
ACME Corp Network
Internet Router
Web Server
User Laptop Printer
File Server User Workstation
21
Understanding Networks
• The example given previously is an example of “best practices” in network design, and provides some defense against Internet attacks
• Many (most?) organizations do not have an adequate network design, and have significant risk from the Net
• Even the BEST network design can’t protect a machine that is insecure!
22
Understanding Networks
• Each machine that can talk to the Internet has a unique identifier called an “IP Address”
• IP addresses are sometimes static, and sometimes change frequently (especially for dial-up users)
• Regardless, tracking IP addresses is frequently our only recourse to track network attacks
• For example, if the IP address of a hacker can be tracked to AOL, it is then possible to obtain further info from AOL through legal action
23
Types of Investigation• Once a call comes in requesting help in investigation, the
engineer is dispatched on-site• The first (and perhaps most important) step is discuss the
situation with the victim before doing any work• There are basically three ways to approach an investigation:
– “Pull the Plug” – don’t touch the machine– “Limited Investigation” – tread lightly– “Extensive Investigation” – heavy footprint
24
Types of Investigation
• Each of these approaches have advantages and disadvantages, depending on your goals
• The most important question to ask is how strongly the customer feels about trying to prosecute
• The second most important question to ask is how much $$ they have to spend
25
“Pull the Plug”• Used when a company is VERY intent on prosecution and
does not want to risk any tampering w/ evidence• As the title implies, the only investigation physically performed
on the target system would be to pull the power and network cords
• This is highly disruptive and expensive, as the server is no longer available
26
“Pull the Plug”• There are also potential immediate results (you might miss
evidence that would lead you to investigate other systems, for example)
• There is also no opportunity to examine the “state” of the machine that will be lost when turned off:– Which programs are running– Current network connections
• Investigation of other data sources should still be performed (for all types)
27
Information Technology
SecurityInformation Technology
SecurityInformation Technology
SecurityInformation Technology
Security
Information Technology
Security
Information Technology
SecurityInformation Technology
SecurityOperations
Management
Information Technology
SecurityInformation Technology
SecurityInformation Technology
SecurityInformation Technology
Security
Information Technology
Security
Information Technology
SecurityInformation Technology
SecurityEnvironmental
Controls
Information Technology
SecurityInformation Technology
Security
Information Technology
Security
Information Technology
SecurityInformation Technology
SecurityFire
Protection
Information Technology
Security
Information Technology
SecurityInformation Technology
SecurityInformation Technology
Security
Information Technology
Security
Information Technology
SecurityInformation Technology
SecurityRisk
Management
Information Technology
SecurityInformation Technology
SecurityInformation Technology
SecurityInformation Technology
Security
Information Technology
SecurityInformation Technology
SecurityInformation Technology
SecurityPersonnel
Management
Information Technology
SecurityInformation Technology
SecurityInformation Technology
SecurityInformation Technology
Security
Information Technology
Security
Information Technology
SecurityInformation Technology
SecurityAudit
Accreditation
InformationTechnology
Security
Information Technology
SecurityInformation Technology
Security
Information Technology
SecurityInformation Technology
SecurityInformation Technology
SecurityContingencyManagement
Information Technology
SecurityInformation Technology
Security
Information Technology
Security
Information Technology
SecurityInformation Technology
SecurityFinancial
Management
Inform
ation
and
Commun
icatio
ns
Electric
al Pow
er
System
s
Bankin
g and
Financ
e
Transp
ortati
on
Wate
r Sup
ply S
ystem
s
Emerge
ncy S
ervice
s
Govern
ment S
ervice
s
BSPs
Critical Infrastructure Sectors
BP Areas
Unclassified
Unclassified
28
• Some of the universal dos/don’ts that govern us are:• The road block, or, “do not all eggs in one basket”.• The reactionary, or, shutting the gate once the horse has bolted• The patchwork quilts, or divide and fall. Myth, if you buy the best
security products on the market then you is less likely to suffer a security breach.
• The Plate Spinner, or, too much to manage. The key to effective security is vision, the ability to monitor all areas simultaneously, set up alerts to irregular activity.
• The Agoraphobic, or, too paranoid about what’s outside. Fear of external threats is understandable, but that’s no reason to put all your effort into fending off the wolf at your door. Most accidents happen in the home; internal users or ex-staff commits by far the majority of security breaches. A recent Meta report highlighted that, over the lifecycle of an employee, he or she has 17 user Ids, however, when employees leave only eleven user Ids are ever deleted.
29
REFERENCES• Cari artikel tentang security/ breaching dalam e-Business dari sumber-sumber antara lain:
• http://www.entrepreneur.com/• http://www.oleran.com/security.htm • http://www.genuity.com/services/security/• http://www.unisys.com/• http://www.macroint.com/• http://www.vigilinx.com/• http://www.avatier.com/• http://www.echelonsystems.com/security• http://news.com.com/• http://www.madison-gurkha.com/serv_security• http://www.cai.com/• http://www.digitalresearch.com/digitalresearch/company/• http://chancellor.ucdavis.edu/• http://www.online-edge.co.uk/• http://www.activis.com/• http://www.guidancesoftware.com/• http://www.informationweek.com/• http://www.escrowconsulting.com/• http://www.shake.net/
30
Summary
• Mahasiswa diwajibkan membuat summary