User Awareness and Practices

User Awareness and Practices

Ir. PRAKOSO ASDEP 2 KEDEPUTIAN VII KOORDINASI BIDANG INFORMATIKA DAN TELEKOMUNIKASI

KEMENKO POLHUKAM

Kementerian dan Lembaga Di bawah Koordinasi Kemenko Polhukam RI Kemenko Polhukam

Kemenhan Kemendagri Kemenlu

Kemenkominfo Kemenkumham Kemenpan dan RB Kejagung TNI POLRI BIN Lemsaneg Bakorkamla

YOU ARE THE TARGET

SOCIAL ENGINEERING

EMAIL

SOCIAL NETWORK

BROWSER

PASSWORD

ENCRYPTION

MOBILE DEVICES

MONITORING

HACKED



Saat penggunaan internet memungkinkan penyerang untuk menyerang dari mana saja.



Resiko akibat kurangnya pengetahuan :    



Pencurian Identitas Pencurian moneter Konsekwensi Hukum (privat dan perusahan) Terminasi (bila tidak mengikuti aturan perusahan)

Sesuai aturan : www.SANS.org , the top vulnerabilities available untuk cyber criminal adalah :    

Web Browser IM Clients Web Applications Excessive User Rights

Security: Harus memproteksi komputer dan data dengan cara secure the doors to our homes. Safety: Kebiasaan melindungi dan melawan resiko ancaman dari kemajuan teknologi.

DEFINISI AWARENESS Awareness is the ‘what’ component of the education strategy of an organisation which tries to change the behaviour and patterns in how targeted audience (e.g. employees, general public, etc.) use technology and the Internet and it is a distinct element from training. It consists of a set of activities which turn users into organisations’ first line of defence. This is why the awareness activities occur on an ongoing basis, using a variety of delivery methods and are less formal and shorter than training  Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognise IT security concerns and respond Acordingly. In awareness activities, the learner is the recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance’ (12). 

System Administrators Some scripts are useful to protect networks… Cracker: Computer-savvy programmer creates attack software

Script Kiddies: Unsophisticated computer users who know how to execute programs Criminals: Create & sell bots -> spam Sell credit card numbers,…

Hacker Bulletin Board SQL Injection Buffer overflow Password Crackers Password Dictionaries

Successful attacks! Crazyman broke into … CoolCat penetrated…

Malware package=$1K-2K 1 M Email addresses = $8 10,000 PCs = $1000

Virus  Worm  Trojan Horse / Logic Bomb  Social Engineering  Rootkits  Botnets / Zombies 



 

Serangan virus terhadap program, file, atau disk Ketika program dijalankan (executed), virus menjadi aktif. The virus may be benign or malignant but executes its payload at some point (often upon contact)

Program A Extra Code

 Virus mengakibatkan crashing dan

kehilangan data. 

infects

Melindungi dari serangan virus/attacks:    

Avoid potentially unreliable websites/emails System Restore Re-install operating system Anti-virus (i.e. Avira, AVG, Norton)

Program B



Program independent yg mereplikasi dirinya dan mengirimkan copienya dari computer yg satu ke computer lainnya dalam jaringan yg terkoneksi.

To Joe To Ann To Bob

Email List: [email protected] [email protected] [email protected]



Logic Bomb: Merusak logic dari suatu program yg dijalankan.  Software which malfunctions if maintenance fee is not paid  Employee triggers a database erase when he is fired.



Trojan Horse: Menyamar saat akan menghancurkan data dan merusak sistem.  Download a game: Might be fun but has hidden part that emails

your password file without you knowing.



social engineering memanipulasi orang melakukan tindakan atau membocorkan informasi rahasia. Mirip dengan trik kepercayaan atau penipuan sederhana, istilah berlaku untuk penggunaan penipuan untuk memperoleh informasi, dalam sistem komputer.. Phone Call: This is John, the System Admin. What is your password?

Email: ABC Bank has noticed a problem with your account… In Person: What ethnicity are you? Your mother’s maiden name?

and have some software patches

I have come to repair your machine…



Phishing: a ‘trustworthy entity’ asks via e-mail for sensitive information such as SSN, credit card numbers, login IDs or passwords.

The link provided in the e-mail leads to a fake webpage which collects important information and submits it to the owner.  The fake web page looks like the real thing 

 Extracts account information

A botnet adalah sejumlah besar computers berbahaya yg digunakan untuk membuat dan mengirim spam atau viruses atau kebanjiran jaringan dengan messages “as a denial of service attack”.  The compromised computers are called zombies 



Attacker yg berpura-pura menjadi tujuan akhir Anda pada jaringan. Jika seseorang mencoba untuk menyambung ke jalur akses WLAN tertentu atau server web, attacker bisa menyesatkan dia untuk komputernya, berpura-pura menjadi titik akses atau server.



Upon penetrating a computer, a hacker installs a collection of programs, called a rootkit.



Memungkinkan:  Hacker mudah mengaccess  Keystroke logger



Petunjuk Eliminates untuk masuk.



Modifies the operating system

Pattern

Calculation

Result

Time to Guess (2.6x1018/month)

Personal Info: interests, relatives

20

Manual 5 minutes

Social Engineering

1

Manual 2 minutes

80,000

< 1 second

American Dictionary 4 chars: lower case alpha

264

5x105

8 chars: lower case alpha

268

2x1011

8 chars: alpha

528

5x1013

8 chars: alphanumeric

628

2x1014

3.4 min.

8 chars alphanumeric +10

728

7x1014

12 min.

8 chars: all keyboard

958

7x1015

2 hours

12 chars: alphanumeric

6212

3x1021

96 years

12 chars: alphanumeric + 10

7212

2x1022

500 years

12 chars: all keyboard

9512

5x1023

16 chars: alphanumeric

6216

5x1028



Restricted data includes:  Social Security Number  Driver’s license # or state ID #  Financial account number (credit/debit) and

access code/password  DNA profile (Statute 939.74)  Biometric data 

In US, HIPAA protects:  Health status, treatment, or payment



Gejala:          

Antivirus software detects a problem Pop-ups yg tiba2 muncul (may sell security software) Disk space yg hilang Files or transactions yg muncul, yg seharusnya tidak ada (muncul). System lambat Messages, sounds, or displays yg tidak biasanya ada di layar monitor. Stolen laptop (1 in 10 stolen in laptop lifetime) Mouse berjalan sendiri. Computer shuts down and powers off tampa diperintah. Seringkali tidak dikenal



Gejala2 Spyware :  Merubah browser homepage/start page anda  Ending up on a strange site when conducting a      

search System-based firewall yg mati secara automatis Banyak aktivitas jaringan disaat tidak diperlukan aktif Excessive pop-up windows Icons, programs, favorites baru yg tidak pernah kita buat. Seringkali firewall memperingatkan tentang program2 yg tidak dikenal Performance system lambat/jelek

Pertahanan yg mendalam mengunakan beberapa lapisan pertahanan adalah : technical, personnel dan operational issues.

Anti-virus software detects malware and can destroy it before any damage is done  Install and maintain anti-virus and antispyware software  Be sure to keep anti-virus software updated  Many free and pay options exist 





A firewall acts as a wall between your computer/private network and the internet. Hackers may use the internet to find, use, and install applications on your computer. A firewall prevents hacker connections from entering your computer. Filters packets that enter or leave your computer



Microsoft regularly issues patches or updates to solve security problems in their software. If these are not applied, it leaves your computer vulnerable to hackers.



The Windows Update feature built into Windows can be set up to automatically download and install updates.



Avoid logging in as administrator

Merry Christmas

Bad Password

(Lengthen) Merry Xmas MerryChrisToYou (Synonym) (Intertwine Letters)

(convert vowels to numeric)

MerryJul (Abbreviate) MaryJul MerChr2You

(Keypad shift Right …. Up)

MXemrays Good Password

Glad*Jes*Birth ,stuzc,sd

M5rryXm1s Jq46Sjqw

Mary*Jul mErcHr2yOu

Combine 2 unrelated Mail + phone = m@!lf0n3 words

Abbreviate a phrase

My favorite color is blue= Mfciblue

Music lyric

Happy birthday to you, happy birthday to you, happy birthday dear John, happy birthday to you.

hb2uhb2uhbdJhb2u



Jangan menggunakan kata ‘admin’ atau ‘root’ atau ‘administrator’ sebagai login untuk admin



Password yg benar :  private:jangan memberitahu ke orang lain  secret: jangan menulis password.  easily remembered: sehingga tdk perlu dicatat  at least 8 characters, complex: kombinasi teks, angka dan tanda baca lainnya.  not guessable : tidak mudah ditebak.

 changed regularly: dirubah secara periodik.



Beware that someone may see you typing it. If you accidentally type your password instead of your login name, it may appear in system log files



Jangan membuka email attachments yg tidak dikenal pengirimnya.



Hindari click on links in emails yang belum diyakini validitasnya.



Hanya mendatangi dan download software dari web pages yang dipercaya.



Yakini memiliki firewall yg benar atau pop-up blocker installed



Pop-up blockers tidak selalu block ALL pop-ups sehingga selalu menutup a pop-up window using the ‘X’ in the upper corner.



Jangan pernah click “yes,” “accept” or even “cancbenarel”



USB terinfeksi.

 

Selalu menggunakan secure browser saat online activities. Selalu mendelete temp files, cookies, history, saved passwords etc.

https://

Symbol showing enhanced security

Tidak ada ukuran Keamanan Informasi yg 100% terjamin.  Apakah informasi itu penting untuk anda?  Apakah anda memback-up: 

Recent? Off-site & Secure? Process Documented? Tested? Encrypted?



Organizations lose 5-6% of revenue annually due to internal fraud = $652 Billion in U.S. (2006)



Average scheme lasts 18 months, costs $159,000



25% costs exceed $1M



Perusahaan kecil lebih banyak dirugikan dari Perusahaan Besar

Internal Fraud Recovery

$0 Recovered Recovery<=25% Substantial Recovery

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

%

How Fraud is Discovered 40 35 30 25 20 15 10 5 0 Tip

By Accident

Internal Audit Internal Controls External Audit

Notified by Police

Tips are most common way fraud is discovered. Tips come from:    

Employee/Coworkers 64%, Anonymous 18%, Customer 11%, Vendor 7%

Essentials of Corporate Fraud, T L If you notice possible fraud, CONTACT: ?????????? Coenen, 2008, John Wiley & Sons



These are best practices involving Information Security.  Most of these practices are from the National Institute of

Standards and Technology. 

Use these practices at home and at work to keep safe and secure.



Employers have policies and procedures regarding secure practices. Be sure to understand them and adhere to them. It will protect you, your employer and your customers.

KESIMPULAN “Anda adalah kunci dari Keamanan, it begins with you”  Keamanan Informasi adalah tanggung jawab kita semua sehingga lebih menyakinkan mereka agar peduli kepada kebijakan2 dan prosedure2 sehubungan dengan Keamanan IT 

SARAN/TIP SEDERHANA

SEKIAN & TERIMA KASIH SEMOGA BERMANFAAT