Information Security Essentials for IT Managers:

Protecting Mission-Critical Systems

1. Information Security Essentials for IT Managers, Overview

Scope of Information Security Management
Perkembangan dari risk-based paradigm, sebagai lawab dari
technical solution paradigm untuk keamanan, menegaskan bahwa
organisasi yang aman tidak hanya berasal dari pengamanan technical
infrastructure saja.
CISSP 10 Domains of Information Security (Common Body of
Knowledge)
1. Access Control
Mengenai siapa saja yang boleh mengakses data dan apa saja yang
boleh dan tidak dilakukan pada suatu data.
2. Telecommunication and network security
Pemeriksaan sistem komunikasi jaringan internal, eksternal, publik,
dan private, termasuk perangkat, protokol, dan remote access.
3. Information security and risk management
Mengontrol dan mengelola physical, technical, dan administrative
dengan tujuan mengurangi potensi serangan dan kehilangan dana.
4. Application security
Untuk kemanan dari program aplikasi.
5. Cryptography
Untuk keamanan dari data dengan melakukan enkripsi pada data
yang rahasia.
6. Security architecture and design
Untuk melakukan perancangan aplikasi pengaman yang sesuai
dengan kriteria yang berlaku.
7. Operations security
Kontrol atas personil, sistem hardware, dan audit dan pemantauan
teknik seperti pemeliharaan AV, pelatihan, audit, dan perlindungan
sumber daya; preventif, detektif, korektif, dan pemulihan kontrol; dan
teknologi keamanan dan toleransi kesalahan.
8. Business continuity and disaster recovery planning
Untuk melindungi operasi bisnis ketika menghadapi gangguan atau
bencana. Aspek penting untuk mengidentifikasi nilai-nilai sumber
daya perform a business impact analysis; and produce business unit
priorities, contingency plans, and crisis management.
9. Legal, regulatory, compliance and investigations
Mengenai penentuan kesalahan berdasarkan policy dan hukum
yang berlaku.
10.Physical (environment) security
Menyangkut keamanan dari ancaman, risiko, dan tindakan untuk
melindungi fasilitas, perangkat keras, data, media, dan personil.

What Is a Threat?

threats bisa berasal kekuatan dari alam (angin puyuh, banjir) atau
kesalahan dari manusia yang mengancam asset informasi.

Common Attacks
o
o
o
o

Industrial espionage
Spam, phishing, and hoaxes
Denial of service (DoS) and distributed denial of service (DDoS)
Botnets

Impact of Security Breaches

Systems and Network Security

Tidak hanya uang, kehilangan terbesar jika terjadi breach adalah

kehilangan informasi rahasia yang hanya bisa diketahui oleh orang yang
bertanggung jawab dalam organisasi
2. Protecting Mission-Critical Systems
Information Assurance
Information assurance dicapai saat informasi dan sistem informasi
mampu dilindungi dari serangan pada aplikasi keamanan seperti
availability, integrity, authentication, confidentiality, dan nonrepudiation.
Information Risk Management
Langkah yang dilakukan organisasi dalam mengurangi resiko
kerusakan atau gangguan pada aset informasi. Beberapa contoh threat
atau resiko :
o Physical damage
o Human interaction
o Equipment malfunction
o Internal or external attack
o Misuse of data
o Loss of data
o Application error
Defense in Depth
Membuat keamanan dengan beberapa tingkat atau layer, sehingga
saat terjadi serangan pada satu sistem, sistem yang lain mampu
melindungi diri.
Contingency Planning
Memastikan organisasi mampu bertahan jika terjadi breach atau
bencana. Untuk memastikan hal tersebut dilakukan beberapa langkah
yaitu business impact analysis, incident response planning,
disaster recovery planning, and business continuity planning.
3. Information Security from the Ground Up
Physical Security
Melindungi fasilitas, hardware, data, media dan personil. Beberapa
sistem keamanan yaitu restricted areas, authorization models,
instrusion detection, fire detection dan security guards.
Data Security
Data security adalah inti dari apa yang harus dilindungi dalam
information security dan mission-critical system. Terdapat 2 cara untuk
melakukan pengamanan pada data yaitu data classification dan
access control models.

Hal ini berada didalam inti dari information security. Dengan

menggunakan hardened system dan network organisasi dapat
melindungi informasi yang rahasia.
Host-Based Security
o OS hardening
o Removing unnecessary services
o Patch management
o Antivirus
o Intrusion detection systems (IDSs)
o Firewalls
o Data encryption software
o Backup and restore capabilities
o System event logging
Network-Based Security
o

Intrusion Detection
Packet sniffing and recording tools
Intrusion detection systems
Anomaly detection systems
Intrusion Prevention
Firewalls
Intrusion prevention systems

Business Communications Security

Komunikasi dalam bisnis yang bermedia internet disarankan mengikuti
beberapa aturan agar keamanan informasi terjaga :
o General Rules for Self-Protection
o Handling Protection Resources
o Rules for Mobile IT Systems
o Operation on Open Networks
o Additional Business Communications Guidelines

Wireless Security
Jenis
o
o
o
o

security yang umum digunakan untuk wireless security:

Access control
Confidentiality
Integrity
Availability

Web and Application Security

Keamanan yang menyangkut dengan website dan aplikasi karena
banyak celah yang dapat dimanfaatkan untuk mencuri informasi.

Security Policies and Procedures

Security Employee Training and Awareness

The 10 Commandments of SETA:

1. Information security is a people, rather than a technical, issue.
2. If you want them to understand, speak their language.
3. If they cannot see it, they will not learn it.
4. Make your point so that you can identify it and so can they.
5. Never lose your sense of humor.
6. Make your point, support it, and conclude it.
7. Always let the recipients know how the behavior that you request will
affect them.
8. Ride the tame horses.

9. Formalize your training methodology.

10.Always be timely, even if it means slipping schedules to include
urgent information.
4. Security Monitoring and Effectiveness
Security Monitoring Mechanisms
Security monitoring involves real-time or near-real-time monitoring
of events and activities happening on all your organizations important
systems at all times.
Incidence Response and Forensic Investigations
Network forensic investigation is the investigation and analysis of all
the packets and events generated on any given network in the hope of
identifying the proverbial needle in a haystack.

Validating Security Effectiveness

Memastikan bahwa sistem keamanan yang digunakan berkerja
sesuai dengan harapan dan benar-benar mampu mengurangi threat atau
resiko.

Security Management Systems

1. Security Management System Standards

Untuk memberikan starting point kepada organisasi dalam
mengembangkan security management system-nya.International
Organization for Standardization(ISO) dan Internasional Electrotechnical
Commision(IEC) membuat standart untuk Information Security
Management Standard.
2. Training Requirements
Dengan mengadakan pelatihan kepada personil diharapkan mampu
membuat security policies dan user roles yang spesifik untuk organisasi.
3. Principles of Information Security
Terdapat tiga hal utama dalam informations security yaitu
Confidentiality, Integrity dan Availability.
4. Roles and Responsibilities of Personnel
Diperlukan adanya tanggung jawab dari setiap level personil :
Chief information officer Berhubungan dengan membuat dan
melakukan maintain policies dari suatu organisasi
Network engineer Berhubungan dengan physical
Network administrator Berhubungan dengan network devices
End users Pengguna dari fasilitas sesuai dengan policies
5. Security Policies
Membantu mencegah unauthorized access terhadap data organisasi
6. Security Controls
Terdapat 3 tipe dalam security controls agar terjaminnya keberhasilan
penggunaan security policy, yaitu physical, technical dan administrative
control.
7. Network Access
Membuat pembagian akses pada end-user agar tiap end-user hanya
bisa mengakses data yang diperlukan.
8. Risk Assessment
Melakukan pengidentifikasian terhadap segala threat agar dapat
dilakukan pencegahan kehilangan data dari setiap celah yang ada.
9. Incident Response
Menugaskan seorang investigator yang bertugas untuk merespon jika
terjadi system breach.
10.
Summary
Untuk membuat sebuah security management system, pertama organisasi
harus melakukan pendataan mengenai proses bisnis yang kritikal.
Kemudian melakukan implementasi untuk melindungi hal tersebut.
Terkahir melakukan pemeriksaan akan securiry management system.
(Plan-Do-Act-Check)

Information Technology Security Management

Tujuan utama dari keamanan IT adalah untuk memastikan confidentiality,
integrity, and availability (CIA) dari IT sistems tercapai.

1. Information Security Management Standards

Federal Information Security Management Act
Step 1: Categorize
Mengkategorikan information systems dan internal
information berdasarkan dampaknya.
Step 2: Select
Menggunakan tahap pertama untuk memilih set awal security
controls untuk sistem informasi dan apply tailoring guidance as
appropriate, to obtain a starting point for required controls.
Step 3: Supplement
Assess the risk and local conditions, including the security
requirements, specific threat information, and cost/benefit analyses
or special circumstances. Supplement the initial set of security
controls with the supplement analyses.
Step 4: Document
The original set of security controls and the supplements
should be documented.
Step 5: Implement
The security controls you identified and supplemented should
be implemented in the organizations information systems.
Step 6: Assess
The security controls should be assessed to determine
whether the controls are implemented correctly, are operating as
intended, and are producing the desired outcome with respect to
meeting the security requirements for the system.
Step 7: Authorize
Upon a determination of the risk to organizational operations,
organizational assets, or individuals resulting from their operation,
authorize the information systems.
Step 8: Monitor
Monitor and assess selected security controls in the
information system on a continuous basis, including documenting
changes to the system.
International Organization for Standardization
International Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC), published ISO/IEC
17799:2005. These standards establish guidelines and general
principles for initiating, implementing, maintaining, and improving
information security management in an organization.

Other Organizations Involved in Standards

Other organizations that are involved in information security

management include The Internet Society and the Information Security
Forum.
2. Information Technology Security Aspects
Security Policies and Procedures
Security policies and procedures constitute the main part of any
organizations security. These steps are essential for implementing IT
security management: authorizing security roles and responsibilities to
various security personnel; setting rules for expected behavior from
users and security role players; setting rules for business continuity
plans; and more.
IT Security Processes
To achieve effective IT security requires processes related to
security management. These processes include business continuity
strategy, processes related to IT security governance planning, and IT
security management implementation

3. Conclusions
Information technology security management mengadung proses
untuk melindungi operias IT dari sebuah organsasi dan asset dari internal
atau external threat, intentional dan lain sebagainya. Tujuan dari proses ini
untuk memastikan Confidetiality, integrity dan availability dari IT sistem.
Meliputi security policies dan procedure, security organization structure, iT
security processes dan rules and regulations.

Identity Management

1. Introduction
Identity has become a burden in the online world. When it is stolen,
it engenders a massive fraud, principally in online services, which
generates a lack of confidence in doing business with providers and
frustration for users.
2. Evolution of Identity Management Requirements
Digital Identity Definition
A digital identity is a representation of an entity in a specific context
Identity Management Overview
Digital identity should manage three connected vertexesusability,
cost, and risk. Identity management systems are elaborated to deal
with the following core facets :
o Reducing identity theft
o Management
o Reachability
o Authenticity
o Anonimity and pseudonymuty
o Organization personal data management
Privacy Requirement
Privacy is a central issue due to the fact that the official authorities
of almost all countries have strict legal policies related to identity.
User Centricity
In user-centric identity management, the user has full control over
her identity and consistent user experience during all transactions
when accessing her services. In user-centric identity management, the
user has full control over her identity and consistent user experience
during all transactions when accessing her services.
Usability Requirement
Mengenai Single Sign-On
3. The Requirements Fulfilled by Current Identity Management
Technologies
Evolution of Identity Management
Identity Management 1.0
Identity 2.0
The main objective of the Identity 2.0 protocol is to provide users
with full control over their virtual identities. An important aspect of
Identity 2.0 is protection against increasing Web attacks such as
phishing as well as the inadvertent disclosure of confidential
information while enabling convenient management.
4. Identity 2.0 for Mobile Users
Mobile Web 2.0
Mobility
Evolution of Mobile Identity

The Future of Mobile User-Centric Identity Management in an

Ambient Intelligence World
Research Directions
5. Conclusions
Penggunaan internet meningkat sangat tajam, naum faktanya
internet belom berkembang dengan identity layer yang memadai untuk
keamanan dari major security risk. Password fatigue dan online fraud
adalah permasalahan yang terus tumbuh dan merusak kepercayaan dari
user.
Future identity management solutions diharapkan berkerja pada
mobile computing setting, dimanapun dan kapan saja. Mobile identity
management berkerja untuk membantu dalam range yang luas dari
teknologi informasi dan device dengan kritikal requirement yaitu usability
on the move, privacy, scalability dan energy friendliness

Intrusion Prevention and Detection Systems

1. What Is an Intrusion, Anyway?

Intrusion adalah orang yang mengacam, merusak confidentiality,
integrity dan availability dari information system dan informasi itu
sendiri.
Physical Theft
Stealing a computer system(lol)
Abuse of Privileges (The Insider Threat)
Terjadi ketika sesorang menyalahgunakan haknya yang berakibat
buruk bagi organisasi.
2. Unauthorized Access by an Outsider
3. Malware Infection
4. The Role of the 0-Day
5. The Rogues Gallery: Attackers and Motives
6. A Brief Introduction to TCP/IP
7. The TCP/IP Data Architecture and Data Encapsulation
8. Survey of Intrusion Detection and Prevention Technologies
9. Antimalware Software
10.
Network-Based Intrusion Detection Systems
11.
Network-Based Intrusion Prevention Systems
12.
Host-Based Intrusion Prevention Systems
13.
Security Information Management Systems
14.
Network Session Analysis
15.
Digital Forensics
16.
System Integrity Validation
17.
Putting It All Together