Paper Network Security

WLAN Security

WLAN hadir di tengah-tengah kita memberikan beberapa keleihan yang tidak dimiliki oleh

jaringan kabel. Di antaranya memungkinkan pergerakan komputer dalam area jangkauan sinyal,

namun tetap tersambung dengan jaringan sehingga sangat mendukung berbagai aktivitas yang

memerlukan mobilitas. Di balik kelebihannnya, WLAN memiliki kelemahan terutama terkait

keamanannya. Diperlukan beberapa langkah untuk mengatasi masalah tersebut sehingga WLAN

tetap dapat dinikmati kelebihannya.

1. Serangan Terhadap WLAN

Jaringan berbasis gelombang radio bersifat terbuka, artinya semua orang yang berada dalam

jangkauannya dapat berupaya untuk terhubung ke dalam jaringan meskipun sebenarnya tidak

berhak. Dikenal istilah wardriving (wireless footprinting) yang menyatakan aktivitas untuk

memperoleh informasi terkait suatu WLAN dan kemudian berupaya untuk mengaksesnya.

Kebanyakan adalah untuk mendapatkan akses internet gratis. Namun ada yang melakukannya

karena rasa ingin tahu, mencoba-coba hingga ada yang memang berniat jahat. Tools yang

dipakai antara lain: NetStumbler, Kismet, Dstumbler, StumbVerter, GPSMap, JiGLE,

Prism2dump, Tcpdump, Ethereal, AiroPeek NX, AirSnort, WLAN-Tools dan lain-lain.

Kelemahan yang ada pada WLAN antara lain adalah:

a. Kelemahan konfigurasi

Berbagai fasilitas disediakan oleh vendor perangkat untuk mempermudah konfigurasi, termasuk default konfigurasi yang bisa dipakai membuat WLAN dengan sedikit atau tanpa melakukan konfigurasi. Perangkat yang dibiarkan memakai konfigurasi default dari vendor, akan sangat mudah diserang karena informasi terkait konfigurasi tersebut sangat mudah ditemukan di internet seperti SSID, IP address yang dipakai, remote manajemen, DHCP enable, kanal frekuensi, user/password administrator perangkat.

b. Kelemahan enkripsi

WEP (Wired Equivalent Privacy) yang dipakai sebagai standar keamanan wireless

sebelumnya, saat ini dapat dengan mudah dipecahkan dengan tools yang bisa dicari

internet yang mampu memecahkan algoritma key-scheduling RC4, yang dipakai dalam

Which of the following is an example of an ultimate data owner?

Keamanan Sistem dan Jaringan Komputer

Lesson/Domain 1: Security management practices

Dosen : Hadi Syahrial, M.Kom

Nama : Fransiscus Xaverius Eko Budi Kristanto NIM : 1111600126 Kelas : XA MAGISTER ILMU KOMPUTER UNIVERSITAS BUDI LUHUR JAKARTA 2012

Quiz 1

Lesson/Domain 1: Security management practices 2012

1

1. Which of the following is an example of an ultimate data owner?

A. Front-line employee

B. Customer accessing information via the extranet

C. IT administrator

D. CIO

The answer is: D. CIO

2. What is the term that defines when senior management initiates and sponsors a company’s security program?

A. Bottom-up approach

B. Top-down approach

C. Steering committee

D. Middle-driven approach

The answer is: B. Top-down approach

3. Which of the following would not be part of an organizational security policy?

A. Security program goals

B. E-mail security policy

C. Responsibilities assignments

D. Enforcement information

The answer is: B. E-mail security policy

4. A technique used in qualitative risk analysis that uses the anonymous opinions of all individuals is called what?

A. Consensus approach

B. Delphi Technique

C. Group mentality

D. Group discussion phase

The answer is: B. Delphi Technique

5. Which of the following terms is a recommendation to an employee on how to act?

Lesson/Domain 1: Security management practices 2012

2

A. Baseline

B. Rule

C. Guideline

D. Standard

The answer is: C. Guideline

6. Which is not an example or characteristic of qualitative risk analysis?

A. Delphi Technique

B. Storyboarding

C. Single loss expectancy calculations

D. Opinion-based

The answer is: C. Single loss expectancy calculations

7. A policy that is more technically focused and outlines the directives dictated by management is which of the following?

A. System-specific

B. Technical-specific

C. Organizational

D. Issue-specific

The answer is: A. System-specific

8. Which is not an example of security awareness?

A. Security training

B. Security bulletin board notes

C. Security ACLs

D. Security objectives in an employee’s performance review

The answer is: C. Security ACLs

9. A common omission in security programs by many companies is which of the following?

A. Responsibility assignments

B. Penalties for non-compliance

Lesson/Domain 1: Security management practices 2012

3

C. Risk analysis

D. Awareness

The answer is: B. Penalties for non-compliance

10. What step should happen first when an employee is terminated if it’s an unfriendly separation?

A. Escorted off premises

B. Network and system access privileges removed

C. Facility ID badges handed out

D. Employee’s personal items should be boxed

The answer is: B. Network and system access privileges removed

11. What is the most important factor in the successful implementation of a companywide security program?

A. Realistic budget estimates

B. Hiring a reputable consulting firm

C. Security awareness

D. Having the support of senior management

The answer is: D. Having the support of senior management

12. Identifying, assessing, and reducing risk to an acceptable level and maintaining the achieved level is referred to as what?

A. Risk planning

B. Risk management

C. Security management

D. Operations management

The answer is: B. Risk management

13. Assigning a dollar figure to a single event assumed by the company if a threat occurred is called what?

A. Single loss expectancy

B. Exposure factor

Lesson/Domain 1: Security management practices 2012

4

C. Qualitative risk analysis

D. Quantitative risk analysis

The answer is: A. Single loss expectancy

14. Companies should set up different types of baselines for the company as a whole and for individual departments. This can include physical, technical, and administrative security. Which of the following defines a baseline?

A. Rules indicating what should and should not be done

B. A minimum level of security required

C. Step-by-step instructions used to complete a task

D. Recommendations

The answer is: B. A minimum level of security required

15. A company can’t get rid of all risk. The risk that’s left over is referred to as residual risk, and the company must determine if this corresponds with their acceptable level of risk. Which of the following defines residual risk?

A. Asset value x exposure factor

B. SLE x ARO

C. (Threats x vulnerability x asset value) x control gap

D. Threats x vulnerability x asset value

The answer is: C. (Threats x vulnerability x asset value) x control gap