Professional Documents
Culture Documents
Pertemuan 5 Maksi Stei
Pertemuan 5 Maksi Stei
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
Security
Confidentiality
Privacy
Processing Integrity
Availability
1. Security is a Management Issue, Not a
Technology Issue
Policy Development
Effective Communication of Policies
The Design and Employee of Appropriate Control Procedures
Monitoring and taking Remedial Action
2. The Time-Based Model of Security
P = Preventive Control
D = Detective Control
C = Corrective Control
3. Defense-in-Depth
Reconnaissance : Study their target’s physical layout to learn
about the control it has in place.
Attempt social engineering :Try to use the information obtained
during their initial reconnaissance to socially engineer ‘trick’ an
unsuspecting employee into granting them access.
Scan and Map the target : Identify computers that can be remotely
accessed and the types of software they are running
Research:conduct research to find known vulnerabilities for those
progams and how to take advantage of those vulnerabilities
Execute the attack and obtain unauthorized access to the system
Cover tracks : create ‘back doors’ that can be used to obtain access
in the event that their initial attack is discovered and controls are
implemented to block that method of entry
• Authentication Control :Focuses on verifying the
identify of the person or device attempting to access
the system
• Authorization Controls
• Training
• Controlling Physical Access
• Controlling Remote Access (IP packet filtering by
border routers and firewalls using access control list,
intrusion prevention systems, dial-up connections,
wireless access)
• Host and Application Hardening
– Host configuration
– Users accounts
– Software design
• Encryption
Encryption Strength:
- Key length
- Key Management policies
- Nature of the encryption algorithm
Type of encryption systems:
- Symmetric encryption systems
- Asymmetric encryption systems
Process that takes plaintext of any length and
transforms it into a short code called a hash
Comparison of encryption and hashing :
1st , encryption always produces cipher text
similar in length to the original plaintext, but
hashing produces a hash that is of a fixed short
length.
2nd, encryption is reversible, but hashing is not
Asymmetric encryption and hashing are used to create
digital signature>> is information encrypted with the
creator’s private key.
Digital Certificates is an electronic document, create and
digitally signed by a trusted third party, That certifies
the identify of the owner of a particullar public keys.
Public Keys Infrastructure (PKI) refers to the system and
processes used to issue and manage asymmetric keys
and digital certificates. The organization of PKI and
digital certificates is called a certificate authority
Digital signatures use asymmetric encryption to
create legally-binding electronic documents.
E-signatures is a cursive-style imprint of a
person’s name that is applied to an electronic
document .
Type of dilemma to firewalls
Antivirus progams and instrusion detection
systems
Me-monitor kefektifan preventive control dan
mendeteksi insiden yang terjadi
4 Tipe Detective Control :
1. Log Analysis