I Know Your Secret ! Strategi to Secure Your Data and Files

I Know Your Secret ! Strategy to Secure Your Data and Files

Prof. Richardus Eko Indrajit DrBA Ir MSc MBA MPhil MA/MSi CEH CHFI ECSA/LPT EDRP ECIH

ACPM CWM ICWM

[email protected]

Agenda for Today

  Cyber-‐6 The Security and Crime Phenomena

  Personal “Hack” Threats on the Online World

  Protect Me! Safeguarding Your Info Assets

Cyber-‐6 Domain

CyberSpace CyberThreats CyberA�acks

CyberSecurity CyberCrime CyberLaw

About the Cyber Space

  A reality community between PHYSICAL WORLD and ABSTRACTION WORLD

  1.4 billion of real human popula�on (internet users)

  Trillion US$ of poten�al commerce value

  Billion business transac�ons per hour in 24/7 mode

Internet is a VALUABLE thing indeed. Risk is embedded within.

Informa�on as Valuable Assets

  Why informa�on? –  It consists of important data and facts (news, reports, sta�s�cs, transac�on, logs, etc.)

–  It can create percep�on to the public (market, poli�cs, image, marke�ng, etc.)

–  It represents valuable assets (money, documents, password, secret code, etc.)

–  It is a raw material of knowledge (strategy, plan, intelligence, etc.)

Internet as an Online Arena

  A giant network of networks where people exchange informa�on through various different digital-‐based ways:

“… what is the value of internet ???”

Email Mailing List Website

Cha�ng Newsgroup Blogging

E-‐commerce E-‐marke�ng E-‐government

Cyber-‐6 Domain

CyberSpace CyberA�acks


CyberThreats

About the Cyber Threat

  The trend has increased in an exponen�al rate mode

  Mo�ves are vary from recrea�onal to criminal purposes

  Can caused significant economic losses and poli�cal suffers

  Difficult to mi�gate

web defacement information leakage phishing intrusion Dos/DDoS

SMTP relay virus infection hoax malware distribution botnet open proxy

root access theft sql injection trojan horse worms password cracking

spamming malicious software spoofing blended attack

Threats are there to stay. Can’t do so much about it.

Hackers Threat

Crackers Threat

  Unstructured Threats –  Insiders –  Recrea�onal Hackers –  Ins�tu�onal Hackers

  Structured Threats –  Organized Crime –  Industrial Espionage –  Hack�vists

  Na�onal Security Threats –  Terrorists –  Intelligence Agencies –  Informa�on Warriors

Professions Threat

Knowledge Threats

So�ware Tools Threat

Vulnerabili�es-‐dBase Threat

Hacking-‐dBase Threat

Underground Economy Threat

Vulnerabili�es Threat

* Gartner “CIO Alert: Follow Gartner’s Guidelines for Upda�ng Security on Internet Servers, Reduce Risks.” J. Pescatore, February 2003

** As of 2004, CERT/CC no longer tracks Security Incident sta�s�cs.

Incidents and Vulnerabilities Reported to CERT/CC

0500

10001500200025003000350040004500

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004

Tota

l Vul

nera

bilit

ies

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

Tota

l Sec

urity

Inci

dent

s

Vulnerabilities Security Incidents

“Through 2008, 90 percent of successful hacker attacks will exploit well-known

software vulnerabilities.” - Gartner*

Cyber-‐6 Domain



About the Cyber A�ack

  Too many a�acks have been performed within the cyberspace.

  Most are triggered by the cases in the real world.

  The eternal wars and ba�les have been in towns lately.

  Estonia notorious case has opened the eyes of all people in the world. A�ack can occur any�me and anyplace

without no�ce.

Case #1

Case #2

Case #3

Case #4

Case #5

A�acks Sophis�ca�on

High

Low

1980 1985 1990 1995 2005

Intruder Knowledge

Attack Sophistication

Cross site scripting

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUI automated probes/scans

denial of service

www attacks

Tools “stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributed attack tools

Staged

Auto Coordinated

Exploita�on Cycle

Advanced Intruders Discover New Vulnerability

Crude Exploit Tools

Distributed

Novice Intruders Use Crude

Exploit Tools

Automated Scanning/Exploit Tools Developed

Widespread Use of Automated Scanning/Exploit Tools

Intruders Begin Using New Types of Exploits

Highest Exposure Time

# Of Incidents

Cyber-‐6 Domain



About the Cyber Security

  Lead by ITU for interna�onal domain, while some standards are introduced by different ins�tu�on (ISO, ITGI, ISACA, etc.)

  “Your security is my security” – individual behavior counts while various collabora�ons are needed Educa�on, value, and ethics

are the best defense approaches.

Risk Management Aspect of Security

Risk

Vulnerabilities Threats

Controls

Security Requirements

Asset Values

Assets

Protect against

Exploit

Reduce

Expose

Have Met by

Impact on Organisation

Protec�on Strategy

Protec�ng Informa�on

Protec�ng Infrastructure

Protec�ng Interac�ons

Spectrum of Security

  Physical security   Procedural security   Personnel security   Compromising emana�ons security   Opera�ng system security   Communica�ons security a failure in any of these areas can undermine the security of a system

Best Prac�ce Standard

BS7799/ISO17799

Access Controls

Asset Classification

Controls

Information Security Policy

Security Organisation

Personnel Security

Physical Security Communication

& Operations Mgmt

System Development &

Maint.

Bus. Continuity Planning

Compliance

Informa�on

Integrity Confiden�ality

Availability

1

2

3

4

5

6

7

8

9

10

Cyber-‐6 Domain



About the Cyber Crime

  Globally defined as INTERCEPTION, INTERRUPTION, MODIFICATION, and FABRICATION

  Virtually involving inter na�onal boundaries and mul� resources

  Inten�onally targe�ng to fulfill special objec�ve(s)

  Convergence in nature with intelligence efforts.

Crime has inten�onal objec�ves. Stay away from the bull’s eye.

The IT Crime Scenes

IT as a Tool

IT as a Storage Device IT as a Target

Types of Crime

Crime Mo�ves

  Thrill Seekers   Organized Crime   Terrorist Groups   Na�on-‐States

Cyber-‐6 Domain



About the Cyber Law

  Difficult to keep updated as technology trend moves

  Different stories between the rules and enforcement efforts

  Require various infrastructure, superstructure, and resources

  Can be easily “out-‐tracked” by law prac��oners

Cyberlaw is here to protect you. At least playing role in mi�ga�on.

First Cyber Law in Indonesia

Range of penalty: •  Rp 600 million -‐ Rp 12 billion (equal to US$ 60,000 to US$ 1,2 million) •  6 to 12 years in prison (jail)

starting from 25 March 2008

Picture: Indonesia Parliament in Session

Main Challenge

ILLEGAL “… the distribution of illegal materials within the internet …”

ILLEGAL “… the existence of source with illegal materials that can be accessed through the internet …”

Agenda for Today




File Management

Microso� Excel

URL Management

URL

Directory Traversal Management

Directory Traversal

Mailing List Management

Email Reply

Live Camera Management

Java Applet

Surveillance Camera Management

Web Monitor

Security Camera Management

Sony

Mul�ple Camera Management

Mul� Frame

Agenda for Today




Security Objec�ve

PHYSICAL SECURITY + INFORMATION SECURITY

Physical Security Checklist

Company Surroundings

Premises

Recep�on

Server

Worksta�on Area

Wireless Access Points

Fax and Removable Media

Access Control

Computer Equipment Maintenance

Wiretapping

Remote Access

Informa�on Security Checklist

Password Protec�on

Encrypted File System

An� Virus So�ware

Firewalls

Intrusion Detec�on Systems

Patches and Updates

Ports and Devices Lock Down

The End Ready for Q&A

Prof. Richardus Eko Indrajit [email protected]

I Know Your Secret ! Strategi to Secure Your Data and Files

Documents

Transcript of I Know Your Secret ! Strategi to Secure Your Data and Files