 Effectiveness

 Efficiency
 Confidentiality
 Integrity
 Availability
 Compliance
 Reliability
 Plan and Organize
 Acquire and Implement
 Deliver and Support
 Monitor and Evaluate
 Security
 Confidentiality
 Privacy
 Processing Integrity
 Availability
1. Security is a Management Issue, Not a
Technology Issue
 Policy Development
 Effective Communication of Policies
 The Design and Employee of Appropriate Control Procedures
 Monitoring and taking Remedial Action
2. The Time-Based Model of Security
 P = Preventive Control
 D = Detective Control
 C = Corrective Control
3. Defense-in-Depth
Reconnaissance : Study their target’s physical layout to learn
about the control it has in place.
Attempt social engineering :Try to use the information obtained
during their initial reconnaissance to socially engineer ‘trick’ an
unsuspecting employee into granting them access.
Scan and Map the target : Identify computers that can be remotely
accessed and the types of software they are running
Research:conduct research to find known vulnerabilities for those
progams and how to take advantage of those vulnerabilities
Execute the attack and obtain unauthorized access to the system
Cover tracks : create ‘back doors’ that can be used to obtain access
in the event that their initial attack is discovered and controls are
implemented to block that method of entry
• Authentication Control :Focuses on verifying the
identify of the person or device attempting to access
the system
• Authorization Controls
• Training
• Controlling Physical Access
• Controlling Remote Access (IP packet filtering by
border routers and firewalls using access control list,
intrusion prevention systems, dial-up connections,
wireless access)
• Host and Application Hardening
– Host configuration
– Users accounts
– Software design
• Encryption
Encryption Strength:
- Key length
- Key Management policies
- Nature of the encryption algorithm
Type of encryption systems:
- Symmetric encryption systems
- Asymmetric encryption systems
 Process that takes plaintext of any length and
transforms it into a short code called a hash
Comparison of encryption and hashing :
1st , encryption always produces cipher text
similar in length to the original plaintext, but
hashing produces a hash that is of a fixed short
length.
2nd, encryption is reversible, but hashing is not
Asymmetric encryption and hashing are used to create
digital signature>> is information encrypted with the
creator’s private key.
Digital Certificates is an electronic document, create and
digitally signed by a trusted third party, That certifies
the identify of the owner of a particullar public keys.
Public Keys Infrastructure (PKI) refers to the system and
processes used to issue and manage asymmetric keys
and digital certificates. The organization of PKI and
digital certificates is called a certificate authority
Digital signatures use asymmetric encryption to
create legally-binding electronic documents.
E-signatures is a cursive-style imprint of a
person’s name that is applied to an electronic
document .
 Type of dilemma to firewalls
 Antivirus progams and instrusion detection
systems
 Me-monitor kefektifan preventive control dan
mendeteksi insiden yang terjadi
4 Tipe Detective Control :
1. Log Analysis

adalah process menguji “logs” untuk

memonitor keamanan
“Logs” maksudnya akses ke dalam suatu
sistem
2. Intrusion Detection System
menciptkan “logs” lalulintas jaringan yang dapat
diizinkan melewati firewall dan menganalisa “logs”
tersebut untuk menandakan yang dapat sukses
melakukan intrusi.
Tiga metode analisis :
1. Membandingkan “logs” mereka dengan database.
2. Membangun suatu model yang merepresentasikan
“normal” lalulintas jaringan.
3. IDS Sensor
3. Managerial Reports
Manajemen membuat scorecard sebagai cara
untuk memonitor keefektifan sistem keamanan.
3 Indikator-nya:
1. Jumlah insiden yang mempengaruhi bisnis.
2. Persentase pengguna yang tidak sesuai
dengan standard password.
3. Persentase cryptographic key terganggu dan
dibatalkan.
4. Security Testing
Caranya:
1. Vulnerability scan menggunakan alat
bantu otomatis yang dirancan untuk
mengidentifikasi apakan sistem yang ada
memiliki kerentanan.
2. Penetration test wewenang untuk
tim internal audit atau external security
consulting firm untuk masuk dalam sistem
informasi organisasi.
3 komponen untuk me-manage insiden dan
problem
1. Membangun Computer Emergency response team
2. Menempatkan seseorang untuk bertanggung jawab
dalam keamanan informasi yaitu Chief Informatin
Security Officer (CISO)
3. Menorganisir patch management system.