Pertemuan 5 Human Factors of Risks in e-Business

1

Pertemuan 5Human Factors of Risks in e-Business

Matakuliah : F0662/Web Based AccountingTahun : 2005Versi : 1/0

2

Learning Outcomes

Pada akhir pertemuan, diharapkan mahasiswa akan mampu :• Menjelaskan bahwa human factors adalah

merupakan salah satu faktor yang bersifat weak link (TIK-5)

• Menjelaskan how to anticipating and managing the e-Business Risks (TIK-5)

3

Outline Materi

• Materi 1 The human factors adalah merupakan salah satu faktor yang bersifat weak link

• Materi 2 How to anticipating and managing the e-Business Risks.

4

Human Factors in e-Business

• People, the weak link in e-busines• Responsible Personnel• Action Plan for Breach of Security

5

System Independencies

• E-Business often involves highly interdependent partnerships with customers, suppliers, and various electronic service providers.

6

Anticipating & Managing Risks

• The most dangerous risk category is what we might call emergent risks: threats that have yet to be identified.

• Sometimes a “Patch” creates more “Holes”• 10 Best Practices list for e-commerce self

defence released by AICPA.

7

Frequent Security Incidents• The vast majority of calls I get are in regard to a

“hacking incident” • Almost of these incidents are on Internet-connected

machines

8

Frequent Security Incidents• Most incidents are precipitated by:

– An external complaint (your mail server is sending me a lot of spam e-mail)

– A change in the system (the hard drive is full, strange new programs are running, tape backups are taking a lot longer)

– The Internet is “slow” or we see strange activity– A threat from an insider – usually a network

administrator making casual statements about how they could “take them out” if they ever got fired

9

Frequent Security Incidents• Many complaints focus on inappropriate use of

company technology:– Employees looking at pornography at work– A user is suspected of having “hacking” tools– Suspected theft of trade secrets / proprietary info

10

Frequent Security Incidents

• Another frequent event is an “employee termination” scenario:– Employee is usually a computer administrator– Employee has extensive access to many systems– Employee is a “troublemaker” – Employer wishes help in terminating the employee,

and wants to remove their access FIRST before firing him

– Typically involves a lot of brainstorming to identify all possible points of ingress to the computing environment

11

Breaching

• Enterprises spend millions to protect themselves from the threat of computer sabotage/breach. Internal staff member is one the potential or can be suspected to be part of the breach problem.

12

Breaching

Based on the experience (at least by Bank Central Asia, Indonesia), 70 % of network security breach is because of procedural aspect. 30% of the attacks are partly technical aspects, such as the information systems infrastructure, security tools. On the other hand, BCA statistic represents that 62% was internal attacks and 38% was (1996, when BCA used the intranet), and after using internet 41% to 59% (2000), and 30% to 70% (2001). Auditing, management controls and awareness are key points as security building blocks.

13

Breach by Internal Staff([email protected], 2002)

Types of security breaches • Not-entitled users accessing resources 57%• Accounts left open after staff left company 43%• Victim of information theft from your network 30%• Access to contractors not terminated upon project

completion 27%• Attempted or successful break-in by angry

employee 21%

14

Breach Typical Scenario

• Angry employee (21%) is one of the most illegal but very difficult to anticipate breaches.

• The introverted style of Information Technology staff.• The frustrated situation in a project activity, or because

of an overloaded.• Trust too much to information technology staff so that he

or she has the possibility to conduct a breach.• No clear security policy in a company or organization.• Password or IDs that are not deleted for ex-staff.• The management controls or the internal audit is not

effective.

15

Company Response to Breach

• Enterprise response, auditing and discovery solutions provide an integrated platform to respond to enterprise incidents and threats provide the following benefits:

• Accelerate response time to information security breaches.• Empower enterprise to better control assets & infrastructure.• Conduct comprehensive investigations and audits.• Reduce the potential liability from misuse of corporate

information and assets• Eliminate costly and archaic investigation/auditing procedures• Increase information systems’ reliability and availability by

conducting investigations while systems are online.

16

An Impersonal World

• There are really two different types of computer security incidents – personal and impersonal

• In my work, they are almost always impersonal hacking attacks, not someone who intentionally targeted the victim

• Most hackers could care less who you are, or what sensitive information you have, they simply want to control an Internet-connected server

17

An Impersonal World

• Usually this access is used in a few ways:– To commit crimes, using you as the staging point– To share questionable material, using your Internet

connection and server space (the “warez”server)– To access questionable material, using you as a relay to

hide their origin (frequently porn)– To use you as a SPAM relay to send junk e-mail to

thousands of people

18

How Hacking Happens

• Hacking is generally possible due to a vulnerability or a mis-configuration in some server or device

• Vulnerabilities exist, and are constantly discovered, in all types of systems by hackers and “white hats”

• Patches are released, but rarely applied due to lack of resources, awareness, or just plain apathy

• Case in point – the latest major Internet worm called “slammer” took advantage of a hole that has had a software fix for over a year!

19

How Hacking Happens

• Hacking also occurs due to a variety of mis-configuration issues such as:– Not using a firewall to restrict access from the Internet– Running programs that are not necessary– Poor passwords, default passwords– Default configurations

20

Understanding Networks

Internal Network(Protected Machines)

DMZ Network(Internet Accessible Machines)

The Internet

Bad Person

Good Person

Company Firewall

Exchange e-Mail

ACME Corp Network

Internet Router

Web Server

User Laptop Printer

File Server User Workstation

21


• The example given previously is an example of “best practices” in network design, and provides some defense against Internet attacks

• Many (most?) organizations do not have an adequate network design, and have significant risk from the Net

• Even the BEST network design can’t protect a machine that is insecure!

22


• Each machine that can talk to the Internet has a unique identifier called an “IP Address”

• IP addresses are sometimes static, and sometimes change frequently (especially for dial-up users)

• Regardless, tracking IP addresses is frequently our only recourse to track network attacks

• For example, if the IP address of a hacker can be tracked to AOL, it is then possible to obtain further info from AOL through legal action

23

Types of Investigation• Once a call comes in requesting help in investigation, the

engineer is dispatched on-site• The first (and perhaps most important) step is discuss the

situation with the victim before doing any work• There are basically three ways to approach an investigation:

– “Pull the Plug” – don’t touch the machine– “Limited Investigation” – tread lightly– “Extensive Investigation” – heavy footprint

24

Types of Investigation

• Each of these approaches have advantages and disadvantages, depending on your goals

• The most important question to ask is how strongly the customer feels about trying to prosecute

• The second most important question to ask is how much $$ they have to spend

25

“Pull the Plug”• Used when a company is VERY intent on prosecution and

does not want to risk any tampering w/ evidence• As the title implies, the only investigation physically performed

on the target system would be to pull the power and network cords

• This is highly disruptive and expensive, as the server is no longer available

26

“Pull the Plug”• There are also potential immediate results (you might miss

evidence that would lead you to investigate other systems, for example)

• There is also no opportunity to examine the “state” of the machine that will be lost when turned off:– Which programs are running– Current network connections

• Investigation of other data sources should still be performed (for all types)

27

Information Technology

SecurityInformation Technology



Security


Security



SecurityOperations

Management





Security


Security



SecurityEnvironmental

Controls



Security


Security



SecurityFire

Protection


Security




Security


Security



SecurityRisk

Management





Security




SecurityPersonnel

Management





Security


Security



SecurityAudit

Accreditation

InformationTechnology

Security



Security




SecurityContingencyManagement



Security


Security



SecurityFinancial

Management

Inform

ation

and

Commun

icatio

ns

Electric

al Pow

er

System

s

Bankin

g and

Financ

e

Transp

ortati

on

Wate

r Sup

ply S

ystem

s

Emerge

ncy S

ervice

s

Govern

ment S

ervice

s

BSPs

Critical Infrastructure Sectors

BP Areas

Unclassified

Unclassified

28

• Some of the universal dos/don’ts that govern us are:• The road block, or, “do not all eggs in one basket”.• The reactionary, or, shutting the gate once the horse has bolted• The patchwork quilts, or divide and fall. Myth, if you buy the best

security products on the market then you is less likely to suffer a security breach.

• The Plate Spinner, or, too much to manage. The key to effective security is vision, the ability to monitor all areas simultaneously, set up alerts to irregular activity.

• The Agoraphobic, or, too paranoid about what’s outside. Fear of external threats is understandable, but that’s no reason to put all your effort into fending off the wolf at your door. Most accidents happen in the home; internal users or ex-staff commits by far the majority of security breaches. A recent Meta report highlighted that, over the lifecycle of an employee, he or she has 17 user Ids, however, when employees leave only eleven user Ids are ever deleted.

29

REFERENCES• Cari artikel tentang security/ breaching dalam e-Business dari sumber-sumber antara lain:

• http://www.entrepreneur.com/• http://www.oleran.com/security.htm • http://www.genuity.com/services/security/• http://www.unisys.com/• http://www.macroint.com/• http://www.vigilinx.com/• http://www.avatier.com/• http://www.echelonsystems.com/security• http://news.com.com/• http://www.madison-gurkha.com/serv_security• http://www.cai.com/• http://www.digitalresearch.com/digitalresearch/company/• http://chancellor.ucdavis.edu/• http://www.online-edge.co.uk/• http://www.activis.com/• http://www.guidancesoftware.com/• http://www.informationweek.com/• http://www.escrowconsulting.com/• http://www.shake.net/

30

Summary

• Mahasiswa diwajibkan membuat summary

Pertemuan 5 Human Factors of Risks in e-Business

Documents

Transcript of Pertemuan 5 Human Factors of Risks in e-Business