Keamanan Sistem (CS4633) ..:: Information Security Controls : - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Keamanan Sistem (CS4633) ..:: Information Security Controls :

Description:

Title: Teori Keamanan Informasi Author: TOSHIBA Last modified by: suranto Created Date: 9/5/2006 11:18:11 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:96
Avg rating:3.0/5.0
Slides: 33
Provided by: TOSHI250
Category:

less

Transcript and Presenter's Notes

Title: Keamanan Sistem (CS4633) ..:: Information Security Controls :


1
Keamanan Sistem (CS4633).. Information
Security Controls
  • Pertemuan 8
  • 05/10/2006
  • Fazmah Arif Yulianto

2
Types of Inf_Sec Controls
  • Preventive
  • Detective
  • Deterrent
  • Corrective
  • Recovery

?
  • Physical
  • Technical (logical)
  • Administrative (personnel)

3
Terminologies
  • Preventive controls attempt to avoid the
    occurrence of unwanted events
  • Detective controls attempt to identify unwanted
    events after they have occurred
  • Deterrent controls are intended to discourage
    individuals from intentionally violating
    information security policies or procedures
  • Corrective controls either remedy the
    circumstances that allowed the unauthorized
    activity or return conditions to what they were
    before the violation
  • Recovery controls restore lost computing
    resources or capabilities and help the
    organization recover monetary losses caused by a
    security violation

4
Physical Controls Preventive
  • To prevent unauthorized personnel from entering
    computing facilities (i.e., locations housing
    computing resources, supporting utilities,
    computer hard copy, and input data media) and to
    help protect against natural disasters.
  • Examples of these controls include
  • Backup files and documentation, backup power
  • Fences, Security guards, Badge systems.
  • Double door systems, Locks and keys, Biometric
    access controls.
  • Site selection.
  • Fire extinguishers etc.

5
Physical Controls Detective
  • Warn protective services personnel that physical
    security measures are being violated.
  • Examples of these controls include
  • Motion detectors.
  • Smoke and fire detectors.
  • Closed-circuit television monitors.
  • Sensors and alarms etc.

6
Some types of Physical Security
  • Barriers walls, fences, doors, gates etc.
  • Q Who or what is the barrier intended to stop,
    and for how long?
  • Locks day access locks, after-hours locks,
    emergency egress locks
  • Mechanical / electrical
  • door control system authentication door
    locking devices
  • Lock vs lockpicking
  • Alarms primarily for letting us know if control
    is functioning properly that is, has it been
    breached?
  • Q who and what is it supposed to detect, and
    what is the intended response?

7
Physical Security (contd)
  • Lights and cameras best suited for assessing a
    situation a tool to extend the eyes (and
    sometimes ears) of the guard force.
  • A common misuse of cameras is assuming that they
    will detect an intruder
  • Antitheft, Antitamper, and Inventory Controls
  • Antitamper devices control access to ensure the
    integrity of the protected asset
  • Antitheft devices and inventory controls are
    intended to limit movement to a confined area

8
Backup Files and Documentation
  • Backup files should be stored far enough away
    from the active data or documentation to avoid
    destruction by the same incident that destroyed
    the original.
  • Backup material should be stored in a secure
    location constructed of noncombustible materials,
    including two-hour rated fire walls.
  • Backups of sensitive information should have the
    same level of protection as the active files of
    this information

9
Backup Power
  • Backup power is necessary to ensure that computer
    services are in a constant state of readiness and
    to help avoid damage to equipment if normal power
    is lost.
  • For short periods of power loss, backup power is
    usually provided by batteries.
  • In areas susceptible to outages of more than
    1530 min., diesel generators are usually
    recommended.

10
Fire extinguisher
  • Automatic water sprinkler beware of the risk of
    water damage to computing equipments
  • Carbon dioxide extinguishing systems were
    developed save for equipments, lethal for human
  • Halon extinguisher usually harmless to equipment
    and less dangerous to personnel than carbon
    dioxide.
  • At a concentration of about 10, Halon
    extinguishes fire and can be safely breathed by
    humans
  • High cost

11
Biometric Access Controls
  • Biometrics used for identification include
    fingerprints, handprints, voice patterns,
    signature samples, and retinal scans.
  • Because biometrics cannot be lost, stolen, or
    shared, they provide a higher level of security
    than badges.
  • Biometric identification is recommended for
    high-security, low-traffic entrance control.

12
More on biometrics
  • Every person has unique physiological,
    behavioral, and morphological characteristics
    that can be examined and quantified.
  • Biometrics is the use of these characteristics to
    provide positive personal identification.

13
Some Biometric Performances
  • Fingerprint Scan False rejection rate 9.4
    False acceptance rate 0 Average processing
    time 7 seconds
  • Retinal scan FRR 1.5 FAR 1.5 APT 7
    seconds
  • Palm scan FRR 0 FAR 0.00025 APT 2-3
    seconds
  • Hand geometry FRR 0.1 FAR 0.1 ATP 2 to
    3 seconds
  • Facial recognition ATP 2 seconds
  • Voice verification FRR 8.2 FAR 0.4 ATP
    2 to 3 seconds

14
(No Transcript)
15
A basic role of physical security
  • to keep unwanted people / things out,
  • and to keep insiders honest

16
Technical Controls Preventive
  • To prevent unauthorized personnel or programs
    from gaining remote access to computing
    resources.
  • Examples of these controls include
  • Access control software.
  • Antivirus software.
  • Library control systems.
  • Passwords.
  • Smart cards.
  • Encryption.
  • Dial-up access control and callback systems. etc.

17
Technical Controls Detective
  • Warn personnel of violations or attempted
    violations of preventive technical controls.
  • Examples of these include
  • Audit trails
  • Intrusion detection expert systems

18
Access Control Software
  • To control sharing of data and programs between
    users.
  • In many computer systems, access to data and
    programs is implemented by access control lists
    that designate which users are allowed access.
  • Access control software provides the ability to
    control access to the system by establishing that
    only registered users with an authorized log-on
    ID and password can gain access to the computer
    system.
  • After access to the system has been granted, the
    next step is to control access to the data and
    programs residing in the system.
  • The data or program owner can establish rules
    that designate who is authorized to use the data
    or program

19
Access Controls
  • One among central issues in security
  • Specify what users can do, what resources they
    can access, and what operations they can perform
    on a system
  • The effectiveness of access control rests on the
    proper user authentication and on the correctness
    of the authorizations

20
An idealized model
21
Audit Control
  • Concern a posteriori analysis of all the request
    and activities of users in the system ? requires
    logging
  • Useful as/to
  • Deterrent/pencegah
  • Find out about possible attempted or actual
    violations
  • Determining possible flaws in the system
  • Hold users accountable for their actions

22
Control over access
  • More security is not necessarily less access.
    That is, controlled access does not equal denied
    access
  • Practically all controls fall somewhere in
    between providing complete access and total
    denial. Thus, it is the level of control over
    access not the amount of access that provides
    security.

23
Layered Defense
BREADTH
DEPTH
DETERRENCE
24
Layered Defense Breadth
  • A single type of control rarely eliminates all
    vulnerabilities
  • suppose one decides to control read access to
    data by using a log-on password. But the log-on
    password does not afford protection if one sends
    the data over the Internet. A different type of
    control (i.e., encryption) would therefore
    provide the additional coverage needed.

25
Layered Defense Depth
  • To be realistic with security, one must believe
    in failure ? Any given control is not perfect and
    will fail, sooner or later.
  • Adds layers of additional access controls as a
    backstop measure.
  • Example The password will not stay secret
    forever ? embrace the common dictum, something
    you have, something you know, and something you
    are. (password, smartcard, fingerprint)

26
Layered Defense Deterrence
  • Simply putting enough controls in place that the
    cost or feasibility of defeating them without
    getting caught is more than the prize is worth.
  • Examples surveillance cameras, activity logging

27
Password
  • Passwords are used to verify that the user of an
    ID is the owner of the ID.
  • Fixed passwords that are used for a defined
    period of time are often easy for hackers to
    compromise
  • Choosing good passwords?
  • One-time password
  • Time-synchronized type
  • Challenge type

28
(No Transcript)
29
Administrative Controls Preventive
  • Personnel-oriented techniques for controlling
    peoples behavior to ensure the confidentiality,
    integrity, and availability of computing data and
    programs.
  • Examples of preventive administrative controls
    include
  • Security awareness and technical training.
  • Separation of duties.
  • Procedures for recruiting and terminating
    employees.
  • Security policies and procedures.
  • Supervision.
  • Disaster recovery, contingency, and emergency
    plans.
  • User registration for computer access.

30
Administrative Controls Detective
  • To determine how well security policies and
    procedures are complied with, to detect fraud,
    and to avoid employing persons that represent an
    unacceptable security risk.
  • This type of control includes
  • Security reviews and audits.
  • Performance evaluations.
  • Required vacations.
  • Background investigations.
  • Rotation of duties

31
(No Transcript)
32
References
  • Harold F. Tipton, Types of Information Security
    Controls, Information Security Management
    Handbook, 5th ed., Harold F. Tipton Micki
    Krause (editor), 2004, pp. 113-135
  • Ravi S. Sandhu Pierangela Samarati, Access
    Control Principles and Practice
Write a Comment
User Comments (0)
About PowerShow.com