1 / 30

Pertemuan 5 Human Factors of Risks in e-Business

Pertemuan 5 Human Factors of Risks in e-Business. Matakuliah : F0662/Web Based Accounting Tahun : 2005 Versi : 1/0. Learning Outcomes. Pada akhir pertemuan, diharapkan mahasiswa akan mampu :

fayre
Download Presentation

Pertemuan 5 Human Factors of Risks in e-Business

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pertemuan 5Human Factors of Risks in e-Business Matakuliah : F0662/Web Based Accounting Tahun : 2005 Versi : 1/0

  2. Learning Outcomes Pada akhir pertemuan, diharapkan mahasiswa akan mampu : • Menjelaskan bahwa human factors adalah merupakan salah satu faktor yang bersifat weak link (TIK-5) • Menjelaskan how to anticipating and managing the e-Business Risks (TIK-5)

  3. Outline Materi • Materi 1 The human factors adalah merupakan salah satu faktor yang bersifat weak link • Materi 2 How to anticipating and managing the e-Business Risks.

  4. Human Factors in e-Business • People, the weak link in e-busines • Responsible Personnel • Action Plan for Breach of Security

  5. System Independencies • E-Business often involves highly interdependent partnerships with customers, suppliers, and various electronic service providers.

  6. Anticipating & Managing Risks • The most dangerous risk category is what we might call emergent risks: threats that have yet to be identified. • Sometimes a “Patch” creates more “Holes” • 10 Best Practices list for e-commerce self defence released by AICPA.

  7. Frequent Security Incidents • The vast majority of calls I get are in regard to a “hacking incident” • Almost of these incidents are on Internet-connected machines

  8. Frequent Security Incidents • Most incidents are precipitated by: • An external complaint (your mail server is sending me a lot of spam e-mail) • A change in the system (the hard drive is full, strange new programs are running, tape backups are taking a lot longer) • The Internet is “slow” or we see strange activity • A threat from an insider – usually a network administrator making casual statements about how they could “take them out” if they ever got fired

  9. Frequent Security Incidents • Many complaints focus on inappropriate use of company technology: • Employees looking at pornography at work • A user is suspected of having “hacking” tools • Suspected theft of trade secrets / proprietary info

  10. Frequent Security Incidents • Another frequent event is an “employee termination” scenario: • Employee is usually a computer administrator • Employee has extensive access to many systems • Employee is a “troublemaker” • Employer wishes help in terminating the employee, and wants to remove their access FIRST before firing him • Typically involves a lot of brainstorming to identify all possible points of ingress to the computing environment

  11. Breaching • Enterprises spend millions to protect themselves from the threat of computer sabotage/breach. Internal staff member is one the potential or can be suspected to be part of the breach problem.

  12. Breaching Based on the experience (at least by Bank Central Asia, Indonesia), 70 % of network security breach is because of procedural aspect. 30% of the attacks are partly technical aspects, such as the information systems infrastructure, security tools. On the other hand, BCA statistic represents that 62% was internal attacks and 38% was (1996, when BCA used the intranet), and after using internet 41% to 59% (2000), and 30% to 70% (2001). Auditing, management controls and awareness are key points as security building blocks.

  13. Breach by Internal Staff(webmaster@digitalresearch.com, 2002) Types of security breaches • Not-entitled users accessing resources 57% • Accounts left open after staff left company 43% • Victim of information theft from your network 30% • Access to contractors not terminated upon project completion 27% • Attempted or successful break-in by angry employee 21%

  14. Breach Typical Scenario • Angry employee (21%) is one of the most illegal but very difficult to anticipate breaches. • The introverted style of Information Technology staff. • The frustrated situation in a project activity, or because of an overloaded. • Trust too much to information technology staff so that he or she has the possibility to conduct a breach. • No clear security policy in a company or organization. • Password or IDs that are not deleted for ex-staff. • The management controls or the internal audit is not effective.

  15. Company Response to Breach • Enterprise response, auditing and discovery solutions provide an integrated platform to respond to enterprise incidents and threats provide the following benefits: • Accelerate response time to information security breaches. • Empower enterprise to better control assets & infrastructure. • Conduct comprehensive investigations and audits. • Reduce the potential liability from misuse of corporate information and assets • Eliminate costly and archaic investigation/auditing procedures • Increase information systems’ reliability and availability by conducting investigations while systems are online.

  16. An Impersonal World • There are really two different types of computer security incidents – personal and impersonal • In my work, they are almost always impersonal hacking attacks, not someone who intentionally targeted the victim • Most hackers could care less who you are, or what sensitive information you have, they simply want to control an Internet-connected server

  17. An Impersonal World • Usually this access is used in a few ways: • To commit crimes, using you as the staging point • To share questionable material, using your Internet connection and server space (the “warez”server) • To access questionable material, using you as a relay to hide their origin (frequently porn) • To use you as a SPAM relay to send junk e-mail to thousands of people

  18. How Hacking Happens • Hacking is generally possible due to a vulnerability or a mis-configuration in some server or device • Vulnerabilities exist, and are constantly discovered, in all types of systems by hackers and “white hats” • Patches are released, but rarely applied due to lack of resources, awareness, or just plain apathy • Case in point – the latest major Internet worm called “slammer” took advantage of a hole that has had a software fix for over a year!

  19. How Hacking Happens • Hacking also occurs due to a variety of mis-configuration issues such as: • Not using a firewall to restrict access from the Internet • Running programs that are not necessary • Poor passwords, default passwords • Default configurations

  20. Understanding Networks

  21. Understanding Networks • The example given previously is an example of “best practices” in network design, and provides some defense against Internet attacks • Many (most?) organizations do not have an adequate network design, and have significant risk from the Net • Even the BEST network design can’t protect a machine that is insecure!

  22. Understanding Networks • Each machine that can talk to the Internet has a unique identifier called an “IP Address” • IP addresses are sometimes static, and sometimes change frequently (especially for dial-up users) • Regardless, tracking IP addresses is frequently our only recourse to track network attacks • For example, if the IP address of a hacker can be tracked to AOL, it is then possible to obtain further info from AOL through legal action

  23. Types of Investigation • Once a call comes in requesting help in investigation, the engineer is dispatched on-site • The first (and perhaps most important) step is discuss the situation with the victim before doing any work • There are basically three ways to approach an investigation: • “Pull the Plug” – don’t touch the machine • “Limited Investigation” – tread lightly • “Extensive Investigation” – heavy footprint

  24. Types of Investigation • Each of these approaches have advantages and disadvantages, depending on your goals • The most important question to ask is how strongly the customer feels about trying to prosecute • The second most important question to ask is how much $$ they have to spend

  25. “Pull the Plug” • Used when a company is VERY intent on prosecution and does not want to risk any tampering w/ evidence • As the title implies, the only investigation physically performed on the target system would be to pull the power and network cords • This is highly disruptive and expensive, as the server is no longer available

  26. “Pull the Plug” • There are also potential immediate results (you might miss evidence that would lead you to investigate other systems, for example) • There is also no opportunity to examine the “state” of the machine that will be lost when turned off: • Which programs are running • Current network connections • Investigation of other data sources should still be performed(for all types)

  27.   BP Areas Unclassified Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Contingency Management Information Technology Security Fire Protection Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Financial Management Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Environmental Controls Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Personnel Management Information Technology Security Information Technology Security Operations Management Information Technology Security Information Technology Security Information Technology Security Information Technology Security Information Technology Security Audit Accreditation Information Technology Security Risk Management Critical Infrastructure Sectors Information and Communications Water Supply Systems Banking and Finance Electrical Power Systems Emergency Services Transportation Government Services BSPs Unclassified

  28. Some of the universal dos/don’ts that govern us are: • The road block, or, “do not all eggs in one basket”. • The reactionary, or, shutting the gate once the horse has bolted • The patchwork quilts, or divide and fall. Myth, if you buy the best security products on the market then you is less likely to suffer a security breach. • The Plate Spinner, or, too much to manage. The key to effective security is vision, the ability to monitor all areas simultaneously, set up alerts to irregular activity. • The Agoraphobic, or, too paranoid about what’s outside. Fear of external threats is understandable, but that’s no reason to put all your effort into fending off the wolf at your door. Most accidents happen in the home; internal users or ex-staff commits by far the majority of security breaches. A recent Meta report highlighted that, over the lifecycle of an employee, he or she has 17 user Ids, however, when employees leave only eleven user Ids are ever deleted.

  29. REFERENCES • Cari artikel tentang security/ breaching dalam e-Business dari sumber-sumber antara lain: • http://www.entrepreneur.com/ • http://www.oleran.com/security.htm • http://www.genuity.com/services/security/ • http://www.unisys.com/ • http://www.macroint.com/ • http://www.vigilinx.com/ • http://www.avatier.com/ • http://www.echelonsystems.com/security • http://news.com.com/ • http://www.madison-gurkha.com/serv_security • http://www.cai.com/ • http://www.digitalresearch.com/digitalresearch/company/ • http://chancellor.ucdavis.edu/ • http://www.online-edge.co.uk/ • http://www.activis.com/ • http://www.guidancesoftware.com/ • http://www.informationweek.com/ • http://www.escrowconsulting.com/ • http://www.shake.net/

  30. Summary • Mahasiswa diwajibkan membuat summary

More Related