utsw elearning ahmad akbar 41208010021

7/25/2019 Utsw Elearning Ahmad Akbar 41208010021

1/12

UTS APLIKOM GENAP 2014/2015

rust is the glue that holds our societies and

economies together. To gain trust in

business, you have to ensure the integrity of

your products, services, and operations as

well as the protection of confidential information.

TDo your customers trust you? How about your employees and business partners?

These questions are more important than ever in a world brimming over with

sensitive dataand where even relatively simple data security breaches can have

huge direct and indirect impacts.

Indeed, trust is a critical ingredient for

success in a fastchanging business

world. !ustomers buy products and

services at least in part because they

trust youthat your products will wor"

as promised, that your services will be

available whenever needed, and, most

importantly, that you will protect their

personal data. #our business partners

suppliers, development partners,

and distributorswor" with you

because they trust you will protect both

their contributions to success and the

secrets about your relationship. $ast

but not least, your employees trust that

their medical information and other

personal data is safe, and that wor"ing

procedures protect their legal rights.

Ahmad Akbar 41208010021


2/12

%t its core, information security is about more than merely protecting confidentiality or

ma"ing sure your systems are safeit&s about maintaining the integrity of your

systems, and thus your business and production processes.

Losing Trust

'very wee" seems to bring headlines about security incidents( )*+ included the

steady stream of lea"s about -ational ecurity %gency surveillance as well as news

of breaches that have hammered /01organ !hase and ony. In many cases, it

seems that hac"ers remain a step ahead of the e2isting countermeasures. 34or more

information see the appendi2, 54rom %ttac"asaervice to !yberespionage6 The

$atest Trends in Hac"ing,5.7

It&s tempting to rela2 if your firm hasn&t beenor doesn&t "now it has beentargeted

yet. Too often, we hear statements such as, 58e are secure( nothing has happened

to us before,5 or 59ur firm is not important enough to be a target,5 or 5ecurity costs

are greater than the potential damages.5 :nfortunately, many studies have

demonstratedand many e2ecutives have learned the hard waythat these

statements simply aren&t true. 8hile there is no commonly agreedupon number for

the costs of worldwide security breaches, estimates range from ;** billion 3about

the


3/12

-o single industry has the ability to defend all attac"seven the bestprepared, most

technologically advanced industries, such as telecom and ban"ing, have faced

embarrassing incidents and the e2posure of reams of public data. 9ther, potentially

far more damaging incidents have been successfully hidden with high financial

e2penses. In manufacturing, where safety 3avoiding accidents7 has long been afocus, information security has not been a priority. The same is true for infrastructure

industries such as traffic and utilities 3other than nuclear plants, where the information

security focus derives from the industry&s larger safety and security mindset7. Despite

the imminent threats, senior management awareness seems quite low across

industries. This is changing, but only slowly.

8ith digiti>ation increasing, breaches are inevitable, and the magnitude and

frequency of successful attac"s will only increase. 9nly a significant, societywide

change in awareness may be able to slow downand later reversethis

development.

Trust Requires Transparency and Strategic

Commitment

ilence is perhaps the largest hurdle in tac"ling information security. 1any e2ecutives

choose to say nothingcertainly when the damage is hidden, and often even when it

becomes visible. However, true information security requires attac"ing tough issues

head on. 4or the leading companies, information security is a crossfunctional, multi

dimensional tas" that starts at the top, with corporate leaders bringing together

various parties and specialists to address strategic alignment, organi>ational and

process setup, technical measures, communication, and culture.

4or management teams at these firms, the first step is understanding that information

security ris"s are business ris"s. =oard members are the ultimate owners of

information security ris" and are best positioned to instill an information security

mindset across the organi>ation.

The best information security departments see" to support the business side in

achieving business obBectives securely, building trust both internally and e2ternally

and setting mutual goals to create a stronger relationship 3see sidebar6 :sing

!ommunications to =uild Trust7. 4or these leading firms, both business and


4/12

information security leaders share responsibility in evaluating protection levels and

identifying threats and vulnerabilities. 8ith the business side supported by the

information security function in analy>ing the business impact of information security,

they mutually define the value at ris". It is paramount that the information security

function perform the final ris" evaluation with an eye toward "eeping overall businesscosts down. 4or these companies, there is transparency and trust about the true ris"

landscape and about defining potential measures to mitigate those ris"s. !reating

informed decision processes for implementing measures or accepting ris"s ensures

that ris"s are only accepted when there is proper reasoning and documentation.

The Five Dimensions of AddressingInformation Security

How do these leading firms achieve cuttingedge information security? =y addressing

five dimensions, each crucial to success6 strategy, organi>ation, processes,

technology, and culture 3see figure +7. Carely are security incidents lin"ed to Bust one

of these five dimensions. !onversely, an integrated combination of measures across

all five can ensure your company is prepared to address information security issues.

The following section loo"s at the five dimensions and some of the leading practices

in addressing them 3see figure )7.

trategy. olid strategy is the foundation for all information security. It focuses

resources on what is most important to protect and sets clear guidelines to help

define what level of protection is needed in different areas.

Information security leaders do three things particularly well when it comes to

strategy6

The information security strategy is clearly lin"ed to the corporate strategy. It

defines what is important for the company and its sta"eholders, and, hence,

what must be protected.

$eading companies put the greatest emphasis on defining and then

protecting their most critical assetsma"ing it harder for attac"ers to increase


5/12

the damage after an initial breach. Information security policies clearly define

the requirements for security areas from data centers, devices, applications,

and production systems to processes and governance, such as ris"

management, incident management, and the classification of information. %nd

guidelines for specific sta"eholder groups 3e2ecutives, administrators, ande2ternal users, among others7 serve as 5best practices5 specific to the

audience. This "nowledge helps balance the desired level of protection against

the cost and effort to achieve appropriate securityin other words, the

acceptable ris" that can be tolerated.

% welldefined road map defines short and midterm goals for information

security. $ongterm goals would fail in a rapidly changing environment, or they

would come too late to address foreseeable issues.

Organization.Information security requires an organi>ational setup that can manage

through tough decisions. 9ften there is initial resistance to security measures or a

conflict of interest that slows progress. 9nly if the information security function can

act at 5eye level5 with the business can a company implement all important security

measures. This is even truer across divisional or regional organi>ations, where

attac"ers can use the wea"est lin" to enter the corporate networ" and then easily

move across the entire corporation. imilarly, with e2ternal partners along the value

chain, every connection can become a potential entry point for the bad guys.

0roperly addressing the internal organi>ation and the entire ecosystem of partners is

critical.

4ollowing are two best practices6

$eading companies have a dedicated chief information security officer3!I97 who reports to another board member rather than the !I9, in order to

avoid potential conflicts of interest.

Divisions and regions also have their own information security officerswith

dottedline reporting to the !I9( other roles responsible for information

security are consistently defined throughout the organi>ation and sufficiently

staffed.


6/12

Processes.ecurity is a process, not a state. 8elldefined processes ensure that a

strategy is implemented, that protection measures are regularly reviewed, and that

adBustments are made for changing requirements. Information security must be

integrated into all business and operational processes, otherwise protection will slip

or costs will rise.

$eaders follow five best practices6

$eading companies implement solid information security management

systems 3I17 that conform to I9 )**2, including information security ris"

management and incident management. !onsistent I1s across the

organi>ation ensure crossdivisional, interregional consolidation and

coordination.

Information security leaders ma"e sure they understand the ris"s to all

businesscritical processes. =usiness continuity management secures business

even in case of incidents for all critical processes. %ll required parties regularly

conduct training regarding business continuity plans, ensuring that operability

and continuous improvement stay uptodate with changing requirements.

%ll supporting processes are also aligned with information security

requirements. 4or e2ample, the proBect management process involves early

security reviews, as including security from the beginning 3rather than waiting

until everything is designed7 lowers costs and increases effectiveness.

Identity and access management, which is often the eye of the storm of an

attac", is focused on the principle of least privilege.+$eaders have the chec"s

and controls in place to limit potential damage through insider attac"ers orcompromised accounts.

IT operations processes are designed with security in mind to reduce ris" for

IT infrastructure and applications. Cegular penetration tests verify the

effectiveness of security measures.

Technology.IT security is not the same thing as information security. The critical

difference is that information security accounts for the human factorwhich is central


7/12

to nearly all successful attac"sas well as technology. 4or e2ample, some

regrettable breaches have come from information stolen because of simple errors

such as disposing of sensitive information in a trash bin below the des" or behind the

building. Having said that, technology is obviously important. %lmost all publicly

"nown maBor security breaches involve technology( in many cases the cause is anavoidable mista"e, such as an insufficiently patched IT system.

How do leading companies stand out in terms of technology?

$eading companies care most about the one attac" they might missnot

the millions of malware attac"s they "now they can defend. These leading

security organi>ations are efficient in their technology use so that they are able

to spend more time wor"ing with the business side to secure core processes.

ervers and applications are protected according to security classification,

and administration occurs only through specifically secured channels with tight

control mechanisms.

!lientsdes"tops, laptops, and mobile devicesare equipped with the

latest malware protection and protect data in case they are stolen or lost.

%ccess requires multifactor authentication wherever possible. %t the same time,

these companies see" to ensure that the user e2perience is improved.

=estpractice networ"s are properly segmented with strict traffic control

between segments. Detection technologies are deployed at all critical places

lin"ed to a central I'1 3security incident and event management7 system as

the central monitoring instance. ecurity monitoring is managed by a ) 9!

3security operation center7, which evaluates incidents and drives remediationactivities together with the !'CT 3computer emergency response team7.

Culture. !ulture is about the people aspect of security. %lmost all maBor incidents

involve the human elementtypically some employees who are tric"ed into malicious

behavior. =ut e2pecting everyone to understand the ris" isn&t faireducation is

required. Then, companies can mitigate the ris" by ma"ing all employees true

sta"eholders of information security.


8/12

!ulture is a "ey cog in maintaining solid information security for leading firms. =est

practices include the following6

The commitment of top managers to information security and understanding

it as a crossfunctional tas" can bring strong results. 4or firms with strong

information security, the culture ensures that everybody feels responsible for

their business&s securityand that information security is a business enabler.

$eading firms understand that employees across functions are a great

source for identifying security gaps. They enable this by creating cultures that

are open to the idea that employees can freely report security problems without

fear of punishment for being the 5bearers of bad news.5

Typically, companies vary in their performance across categories, yet often there is a

clear overall trend. :sing %.T. Eearney&s health chec" to assess performance,

companies can outline their obBectives in each category and create a program of

short and midterm measures that lead to the desired state. % comprehensive

program can require three years to complete 3see figure A on page F7.

Information Security: Setup and Budget

There are many schools of thought on how much a company should spend on

information security. 4ive percent of the IT budget 3with yearoveryear growth of to

+* percent7 is often cited as a good rule, but in truth it depends on the individual

company and its industry. -ot only should information security be independent from

IT, but where you are today and the gaps you need to reach the desired protection

level can mean more costs at the outset. That may be hard for some to swallow, but

following a generic benchmar" would be a recipe for failure.

=uilding the budget bottomup, based on identified ris"s and measures needed now,

is the best first step. This forces the organi>ation to wor" on operational e2cellence.

In other words, the obBective is not how to achieve the best theoretical solution, but

how to find a solution that is strong, feasible, and costeffective in delivering

adequate protection to meet business obBectives. The solution has to wor" in practice

and at a reasonable cost.


9/12

$astly, cost creep often occurs after a proBect is approved. Cigorous proBect

management independent of the 3mostly technical7 implementation provider that

"eeps operational e2cellence and business obBectives in focus will help avoid this.

Trust Is the Glue

The business world is seeing disruptive technologies and business models at an

unprecedented rate. Industries are changing, with startups leading the change and

becoming partners to established corporations. !ollaboration is a maBor cross

industry trend. 8ith digiti>ation, everything gets more interconnected. =ut one thing

does not change6 Trust is the glue that holds our societies and economies together.

This shiny new world has dar" clouds quic"ly approaching from the hori>onor a

sudden tsunami appearing out of nowhere. To "eep the trust up with all internal ande2ternal sta"eholders, you have to be prepared not only to defend, but also to deal

with a crisis. % systematic approach covering the five aforementioned dimensions

helps companies to establish the structures to be prepared, helping the employees to

trust in their own capabilities and carrying the trust outside the company.

Appendi

!rom Attac"#as#a#Ser$ice to Cy%erespionage:The &atest Trends in 'ac"ing

The ne2t waves of attac"s are as hard to predict as natural disasters, but some

trends are already evident, and others can be predicted. Here are a few to watch out

for6

Total glo%al sur$eillance. Data enables activities beyond the wildest 9rwellian

dreams, sha"ing the foundations of trust among different governments and betweengovernments and their citi>ens. 1any corporate leaders are afraid of what it means

for their firms. Enown security measures may fall short when coming up against

industrial espionage by intelligence agencies. 9ne telecommunication company

providing services to a parliament found its networ" heavily compromised by a

foreign intelligence agency see"ing to get its government into a better position for

maBor multinational negotiations.


10/12

Intentional (ea"ening of IT defenses. The intended wea"ening of IT and security

products is a real nightmare. 8hile you want to trust that the products you use help

you stay as secure as possible, many maBor companies have intentionallyand not

necessarily voluntarilyintroduced wea"nesses and bac"doors into their products

3notably security products and in particular, but not limited to, commercialcryptography7 at the behest of governments see"ing information. In other cases,

governments have intervened in the shipping process to alter products in their favor.

Cecently, The Interceptrevealed documents detailing the -%&s entry 'agle and

claims that the program infiltrated commercial entitiesoften even physicallyin

outh Eorea,


11/12

-etwor" equipment producer Huawei provides an interesting e2ample here, as the

company has been suspected by some countries of introducing bac"doors for

!hinese agencies( later it was revealed they had been attac"ed by the -% in an

attempt to implement bac"doors. To combat the claims and win the trust of

customers, Huawei has offered to open its code to national intelligence agencies.

The rise of AaaS.%ttac"asaservice 3%aa7 could be an important 3albeit

clandestine7 business model in coming years. The most dangerous attac"s for

corporations are highly professional and customi>ed to their targetsoften referred

to as advanced persistent threats 3%0Ts7 or targeted attac"s. %0Ts require time,

money, and "nowledge to e2ecute, the "ind that no single organi>ation can create

alone, and thus lead to a very international cybercrime industry. Interestingly enough,

this industry is built largely on trust( as in other industries, it is evolving and creating

new business models. 0resumably, customers can e2ecute attac"s without the deep

"nowledge originally required. The first e2ample we have seen involves the ban"ing

industry, with TroBans Geu and py'ye evolving toward this new service model

while the users of the respective services made incredible amounts of money.

)assi$e attac"s on infrastructure.The cyber espionage campaign "nown as

'nergetic =earof origins still unconfirmedhas successfully compromised more

than +,*** utility companies in F countries. The attac" has not only stolen significant

data but also opened the door to sabotage by enabling the crippling of physical

systems such as wind turbines, gas pipelines, and power plants at will. Huge attac"s

such as these could be preludes to stri"es in something of a 5lu"ewarm cyberwar.5

These "inds of threats not only endanger utilities, but also other critical infrastructure

such as information and communication technology, healthcare, traffic and transport,

and ban"ing. :sers generally trust that the services of these sectors are safe( an

important question in these industries is 58hat happens when users lose trust?5 %ndwe certainly don&t want to find ourselves in a situation where public life suddenly

comes to a halt when the lifelines of our society are interrupted.

Automation systems as prime targets.


12/12

utsw elearning ahmad akbar 41208010021

Documents