Chapter 02

Secure Information Systems

By: Nabila Clydea Harahap

CSIM601280 - Prinsip Prinsip Sistem Informasi

Program Sarjana Sistem Informasi

Tim Pengajar: Heri, Mita, Nabila, Widia

Rev: 15-Feb-2023
Principle 01
The Threat Landscape
Principles Learning Objectives
Computer crime is a • State four reasons why computer incidents have
serious and rapidly become so prevalent.
• Identify four classes of perpetrators mostly likely
growing area of concern
to initiate a cyberattack.
requiring management • Define the term attack vector.
attention. • Identify at least three commonly used attack
vectors.
• Identify five cyberthreats that pose a serious
threat for organizations.
• Identify five consequences of a successful
cyberattack.
• Identify five federal laws that address computer
crime.
Organizations Mishandle Data Breaches

Yahoo disclosed in December
2016 that one billion of its
users’ accounts had been
compromised in an August 2013
breach.
Uber, the popular ridesharing,
food delivery, and
transportation service company,
announced in February 2015
that it had suffered a data
breach in May 2014.
Under Armour was hit with a
data breach that impacted some
150 million users of its My
Fitness Pal food and nutrition
application.
Why Learn About Secure Information
Systems?
• Confidential business data and private customer and employee
information must be safeguarded, and systems must be protected
against malicious acts of theft or disruption.
• Although the need for security is obvious, it must often be balanced
against other business needs. Business managers, IS professionals,
and IS users all face a number of complex trade-offs regarding IS
security.
Why Computer Incidents Are So Prevalent
(1/3)
1. Increasing Complexity Increases Vulnerability
• The Internet of Things, cloud computing, mobile devices, operating systems,
applications, Web sites, switches, routers, and gateways are all interconnected and
are driven by hundreds of millions of lines of code.
• The number of possible entry points to a network expands continually as more
devices are added, further increasing the possibility of security breaches.
2. Bring your own device (BYOD) policies
• A business policy that permits, and in some cases encourages, employees to use
their own mobile devices (smartphones, tablets, or laptops) to access company
computing resources and applications.
• BYOD makes it extremely difficult for IT organizations to adequately safeguard the
wide range of portable devices with various operating systems and a myriad of
applications.
Why Computer Incidents Are So Prevalent
(2/3)
3. Use of Software with Known Vulnerabilities
• Exploit is an attack on an information system that takes advantage of a
particular system vulnerability. Once the vulnerability is discovered, software
developers create and issue a “fix,” or patch, to eliminate the problem.
• Clearly, it can be difficult to keep up with all the required patches to fix these
vulnerabilities. Of special concern is a zero-day attack, which is an attack that
takes place before the security community becomes aware of and fixes a
security vulnerability.
• Even when vulnerabilities are exposed, many corporate IT organizations
continue to use already installed software as-is rather than implement
security fixes. IT organizations often make this decision because the fixes will
either make the software harder to use or eliminate “nice-to-have” features
that will help sell the software to end users.
Why Computer Incidents Are So Prevalent
(3/3)
4. Increasing Sophistication of Those Who Would Do Harm
• Today’s computer menace is much better organized and may be part of an
organized group (such as Anonymous, Chaos Computer Club, Lizard Squad,
TeslaTeam) that has an agenda and that targets specific organizations and
Web sites.
• Some of these groups have ample resources, including money and
sophisticated tools, to support their efforts.
Perpetrators Most Likely to Initiate a Cyberattack
• Currently, although the lone
wolf and cyberterrorist receive
a lot of publicity, they are not
considered among the most
serious sources of cyberattacks.
• IBM found that 55–60 percent
of all cyberattacks are initiated
through the actions of insiders.
Types of
Attack
Vectors
attack vector: The technique
used to gain unauthorized
access to a device or a
network
Cyberattacks That Pose Serious Threats

Distributed
Ransomware denial-of- Data breaches
service attacks

Cyberespionage Cyberterrorism
Ransomware
• Ransomware is malware that stops you from using your computer or
accessing the data on your computer until you meet certain
demands, such as paying a ransom or, in some cases, sending
compromising photos to the attacker.
• A computer can become infected with ransomware when a user
opens an email attachment containing the malware or is lured to a
compromised Web site by a deceptive email or pop-up window.
• Once the malware has taken over, it encrypts some or all of the
victim’s files. The files can then only be decrypted with a
mathematical key known only to the attacker.
Distributed denial-of-service attacks
• A distributed denial-of-service (DDoS) attack is one in which a
malicious hacker takes over computers via the Internet and causes
them to flood a target site with demands for data and other small
tasks.
• The term botnet is used to describe a large group of such computers,
which are controlled from one or more remote locations by hackers,
without the knowledge or consent of their legitimate owners.
Data breaches
• A data breach is the unintended release of sensitive data or the
access of sensitive data by unauthorized individuals, often resulting in
identify theft.
• Not only are the individuals whose data is compromised in a data
breach put at risk of identity theft or blackmail, but also the
shareholders of an organization hit with a data breach can be
impacted by a decline in the valuation of the firm that follows
publication of the incident
Cyberespionage
• Cyberespionage involves the deployment of malware that secretly
steals data in the computer systems of organizations.
• These organizations include government agencies, military
contractors, political organizations, and manufacturing firms.
• The type of data most frequently targeted includes data that can
provide an unfair competitive advantage to the perpetrator. This data
is typically not public knowledge and may even be protected via
patent, copyright, or trade secret.
Cyberterrorism
• Cyberterrorism is the intimidation of government or civilian
population by using information technology to disable critical national
infrastructure (e.g., energy, transportation, financial, law
enforcement, emergency response, and healthcare systems) to
achieve political, religious, or ideological goals.
Consequences of a
Successful Cyberattack
• Direct impact: This is the value of the assets (cash, inventory,
equipment, patents, copyrights, trade secrets, data) stolen or
damaged due to the cyberattack.
• Business disruption: A successful cyberattack may make it
impossible for the organization to operate in an effective manner
for several hours or days.
• Recovery cost: It may take people from the IS organization and
business areas days or weeks to repair affected systems and
recover lost or compromised data.
• Legal consequences: There is the prospect of monetary penalties
for businesses that fail to comply with data protection legislation.
• Reputation damage: A successful cyberattack can erode the trust
your organization has established with your customers, suppliers,
business partners, and shareholders.
Principle 02
The CIA Security Triad
Principles Learning Objectives
Organizations must take • Discuss how the CIA security triad can be
strong measures to ensure implemented at the organizational, network,
application, and end user levels to safeguard
secure, private, and
against cyberattacks.
reliable computing • Conduct a security self-assessment of your own
experiences for their computer and usage habits.
employees, customers, and • Identify eight steps that must be taken to perform
business partners. a thorough security risk assessment.
• Describe five actions an organization must take in
response to a successful cyberattack.
• Describe the role of a managed security service
provider.
• Define the term computer forensics.
A multi-layered
security solution
Security measures must be
planned for, designed,
implemented, tested, and
maintained at the
organizational, network,
application, and end-user layers
to achieve true CIA security
Implementing CIA at the Organizational Level
Implementing CIA begins at the organizational level with the definition of an overall
security strategy

• Risk Assessment: Identify and prioritize the threats that the organization faces.
• Disaster Recovery: Ensures the availability of key data and information technology
assets.
• Security Policies: Guide employees to follow recommended processes and practices to
avoid security-related problems.
• Security Audits: Ensure that individuals are following established policies and to assess if
the policies are still adequate even under changing conditions.
• Regulatory Standards Compliance: organization may also need to comply with standards
defined by external parties, including regulatory agencies
• Security Dashboard: help track the key performance indicators of their security strategy.
 Identify the set of IT assets about which the
Step 1
organization is most concerned.

Identify the loss events or the risks or threats

Step 2
that could occur.
Risk Assessment
• Risk assessment is the process of Assess the frequency of events or the likelihood
Step 3
assessing security-related risks to an of each potential threat.
organization’s computers and
networks from both internal and Step 4 Determine the impact of each threat occurring.
external threats.
• The goal of risk assessment is to
identify which investments of time Step 5 Determine how each threat can be mitigated.
and resources will best protect the
organization from its most likely and Assess the feasibility of implementing the
serious threats. Step 6
mitigation options.

Perform a cost-benefit analysis to ensure that

Step 7
your efforts will be cost effective.

Make the decision on whether or not to

Step 8
implement a particular countermeasure.
Disaster Recovery
• Disaster recovery plan is a documented process for recovering an organization’s
business information system assets—including hardware, software, data,
networks, and facilities—in the event of a disaster such as a flood, fire, or
electrical outage.
• A disaster recovery plan should be a component of an organization’s overall
business continuity plan, which should also include an occupant emergency
evacuation plan, a continuity of operations plan, and an incident management
plan.
• Some business processes are more essential to continued operations and goal
attainment than others. These processes are called mission-critical processes.
• Failover is another approach to backup when a server, network, or database fails
or is no longer functioning, failover automatically switches applications and other
programs to a redundant or replicated server, network, or database to prevent an
interruption of service.
Security Policies
• A security policy defines an organization’s security requirements, as
well as the controls and sanctions needed to meet those
requirements.
• The SANS (SysAdmin, Audit, Network, Security) Institute’s offers
several security-related policy templates (www.sans.org/security-
resources/)
• Automated system rules can often be put into practice using the
configuration options in a software program.
• For example, if a written policy states that passwords be a minimum of 13
characters, include at least one number, one capital letter, and one special
character, then all systems should be configured to enforce this policy
automatically.
Security Audits
• Another important prevention tool is a security audit that enables the
organization to identify its potential threats, establish a benchmark
of where it is, determine where it needs to be, and develop a plan to
meet those needs.
• The audit should examine if security policies are being followed.
• For example, if a policy says that all users must change their passwords every
30 days, the audit must check how well that policy is being implemented.
• A thorough security audit should also test system safeguards to
ensure that they are operating as intended.
Regulatory Standards Compliance (1/2)
Regulatory Standards Compliance (2/2)
Security Dashboard
Implementing CIA at the Network Level
• Authentication Methods
• Firewall
• Routers
• Encryption
• Proxy Servers and Virtual Private Networks
Authentication Methods
• Two-factor authorization requires the user to provide two types of
credentials before being able to access the network; the two credentials
can be any of the following:
• Something you know, such as a personal identification number (PIN) or password
• Something you have, such as some form of security card or token
• Something you are, such as a biometric (e.g., a fingerprint or retina scan)
• Biometric authentication is the process of verifying your identity by using
your physiological measurements (fingerprint, shape of your face, shape of
your hand, vein pattern, your iris, or retina) or behavioral measurements
(voice recognition, gait, gesture, or other unique behaviors).
Firewall
• A firewall is a system of software, hardware, or a combination of both
that stands guard between an organization’s internal network and
the Internet, and limits network access based on the organization’s
access policy.
• A next-generation firewall (NGFW) is a hardware- or software-based
network security system that can detect and block sophisticated
attacks by filtering network traffic dependent on the packet contents.
Routers
• A router is a networking device that connects multiple networks
together and forwards data packets from one network to another.
• Often, an Internet service provider (ISP) installs a router in a
subscriber’s home to connect the ISP’s network to the network within
the home.
• Routers enable you to create a secure network by assigning it a
passphrase so that only individuals who have the passphrase can
connect to your network.
Encryption
• Encryption is the process of scrambling messages or data in such a
way that only authorized parties can read it.
• An encryption key is a value that is applied (using an algorithm) to a
set of unencrypted text (plaintext) to produce encrypted text that
appears as a series of seemingly random characters (ciphertext) that
is unreadable by those without the encryption key needed to
decipher it.
• Transport Layer Security (TLS) is a communications protocol or
system of rules that ensures privacy between communicating
applications and their users on the Internet.
Proxy Servers and Virtual Private Networks
• A proxy server serves as an
intermediary between a Web
browser and another server
on the Internet that makes
requests to Web sites,
servers, and services on the
Internet for you
• A virtual private network
(VPN) enables remote users
to securely access an
organization’s collection of
computing and storage
devices and share data
remotely.
Authentication Methods

• Users are required to be authenticated before they can access an

application— ideally, two factor authentication is required.

User Roles and Accounts

• the creation of roles and user accounts so that once users are
Implementing
authenticated, they have the authority to perform their
responsibilities and nothing more.
• This concept is called proper separation-of-duties.
CIA at the
Data Encryption
Application
• Major enterprise systems such as enterprise resource planning
(ERP), customer relationship management (CRM), and product
Level
lifecycle management (PLM) access sensitive data residing on
data storage devices located in data centers, in the cloud, or at
third-party locations.
• Data encryption should be used within applications to ensure
that this sensitive data is protected from unauthorized access.
Implementing CIA at the End-User Level
• Security Education
• Authentication methods
• Antivirus software
• Data encryption
• Implementing Safeguards Against Attacks by Malicious Insiders
Security Education
• Creating and enhancing user awareness of security policies is an
ongoing security priority for companies.
• Users must help protect an organization’s information systems and
data by doing the following:
• Guarding their passwords to protect against unauthorized access to their
accounts
• Prohibiting others from using their passwords
• Applying strict access controls (file and directory permissions) to protect data
from disclosure or destruction
• Reporting all unusual activity to the organization’s IT security group
• Taking care to ensure that portable computing and data storage devices are
protected (hundreds of thousands of laptops are lost or stolen per year)
Authentication methods
• End users should be required to be authenticated before their
computing/communications device accepts further input.
• Again, several multifactor authentication schemes can be used.
• Many mobile devices are using the user’s fingerprint as a means of
authentication.
Antivirus software
• Antivirus software should be installed on each user’s personal
computer to scan a computer’s memory and disk drives regularly for
viruses.
• Antivirus software scans for a specific sequence of bytes, known as a
virus signature, that indicates the presence of a specific virus.
• In most corporations, the network administrator is responsible for
monitoring network security Web sites frequently and downloading
updated antivirus software as needed.
Data encryption
• While you should already have a login password for your mobile
computing device or workstation, those measures won’t protect your
data if someone steals your device—the thief can simply remove your
storage device or hard drive and plug it into another computing
device and access the data.
• If you have sensitive information on your computer, you need to
employ full-disk encryption, which protects all your data even if your
hardware falls into the wrong hands.
Implementing Safeguards Against Attacks by
Malicious Insiders
• User accounts that remain active after employees leave a company
are another potential security risk.
• To reduce the threat of attack by malicious insiders, IS staff must
promptly delete the computer accounts, login IDs, and passwords of
departing employees and contractors.
• Another important safeguard is to create roles and user accounts so
that users have the authority to perform their responsibilities and
nothing more.
Detection of a Cyberattack (1/2)
An intrusion detection
system (IDS) is software
and/or hardware that
monitors system and
network resources and
activities and notifies
network security personnel
when it detects network
traffic that attempts to
circumvent the security
measures of a networked
computer environment.
Detection of a Cyberattack (2/2)
• Knowledge-based intrusion detection systems
• Contain information about specific attacks and system vulnerabilities and watch for
attempts to exploit these vulnerabilities, such as repeated failed login attempts or
recurring attempts to download a program to a server.
• When such an attempt is detected, an alarm is triggered.
• A behavior-based intrusion detection system
• Understands normal behavior of a system and its users because it collects reference
information by various means.
• The intrusion detection system compares current activity to this model and
generates an alarm if it finds a deviation.
• Examples include unusual traffic at odd hours or a user in the human resources
department who accesses an accounting program that she has never before used.
Response
• Incident Notification
• Protection of Evidence and Activity Logs
• Incident Containment
• Eradication
• Incident Follow-Up
Incident Notification
• A key element of any response plan is to define who to notify and
who not to notify in the event of a computer security incident.
• Most security experts recommend against giving out specific
information about a compromise in public forums, such as news
reports, conferences, professional meetings, and online discussion
groups.
• A critical ethical decision that must be made is what to tell customers
and others whose personal data may have been compromised by a
computer incident.
Protection of Evidence and Activity Logs
• An organization should document all details of a security incident as it
works to resolve the incident.
• Documentation captures valuable evidence for a future prosecution
and provides data to help during the incident eradication and follow-
up phases.
• It is especially important to capture all system events, the specific
actions taken (what, when, and who), and all external conversations
(what, when, and who) in a logbook.
• Because this may become court evidence, an organization should
establish a set of document-handling procedures using the legal
department as a resource.
Incident Containment
• The incident response plan should clearly define the process for
deciding if an attack is dangerous enough to warrant shutting down
or disconnecting critical systems from the network.
• How such decisions are made, how fast they are made, and who
makes them are all elements of an effective response plan.
Eradication
• Before the IT security group begins the eradication effort, it must
collect and log all possible criminal evidence from the system and
then verify that all necessary backups are current, complete, and free
of any malware.
• Creating a forensic disk image of each compromised system on write-
only media both for later study and as evidence can be very useful.
• After virus eradication, a new backup must be created.
• Throughout this process, a log should be kept of all actions taken.

Incident Follow-Up
A review should be conducted after
an incident to determine exactly
what happened and to evaluate
how the organization responded.
One approach is to write a formal
incident report that includes a
detailed chronology of events and
the impact of the incident.
The key elements of a formal incident report should
include the following:
• IP address and name of host computer(s) involved
• The date and time when the incident was discovered
• The length of the incident
• How the incident was discovered
• The method used to gain access to the host computer
• A detailed discussion of vulnerabilities that were exploited
• A determination of whether or not the host was
compromised as a result of the attack
• The nature of the data stored on the computer (customer,
employee, financial, etc.)
• A determination of whether the accessed data is
considered personal, private, or confidential
• The number of hours the system was down
• The overall impact on the business
• An estimate of total monetary damage from the incident
• A detailed chronology of all events associated with the
incident
Using a Managed Security Service Provider
(MSSP)
• For most small and midsized organizations, the level of in-house
network security expertise needed to protect their business
operations can be too costly to acquire and maintain.
• As a result, many organizations outsource their network security
operations to a managed security service provider (MSSP), which is a
company that monitors, manages, and maintains computer and
network security for other organizations.
• MSSPs include such companies as AT&T, Computer Sciences
Corporation, Dell SecureWorks, IBM, Symantec, and Verizon.
Computer Forensics

Computer forensics is a discipline that

combines elements of law and
computer science to identify, collect,
examine, and preserve data from
computer systems, networks, and
storage devices in a manner that
preserves the integrity of the data
gathered so that it is admissible as
evidence in a court of law.
The End