Preliminary
First we must know the difference between safety and protection? Protection concerns about the internal factors of a computer system. Security while considering external factors (environmental) factors outside the system and protection against system resources. Looking at these differences, it is clear that the security cover wider than protection.
How does a system can be said safely? A new system can safely be said if the resource used and accessed in accordance with the will of the user in various circumstances. Unfortunately, no single computer system has any security system is perfect. Data or important information that should not be accessible by others may be accessed, read or modified by others.
Therefore, it needs a security system to cope with the possibility that important information can be accessed by others. Above explained that unlicensed no single computer system that has a perfect security system. However, at least we should have a mechanism that makes such violations are rare.
In this chapter we will discuss matters concerning the security of a system, the study will hopefully help us reduce the violations that may occur.
References
Abraham Silberschatz, Peter Baer Galvin and Greg Gagne: Operating System Concepts with Java - Sixth Edition, John Wiley & Sons, 2004.
Andrew S. Tanenbaum: Modern Operating Systems - Second Edition, Prentice Hall, 2001.
Larry L. Peterson, Bruce S. Davie: Computer Networks A Systems Approach - Second Edition, Morgan Kaufmann, 2000.
Ronald L. Krutz, Russell Dean Vines: The CISSP Prep Guide Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001.
Man and Ethics
Talking about people and ethics, we know that on earth there are all kinds of characters of different people. Most people have a good heart and always tried to obey the rules. However, there are some bad people who want to cause chaos. In the context of security, the people who create havoc in places that are not associated with them called the intruder. There are two kinds of intruders, namely:
1. Passive intruder
Intruder who just want to read files that they should not be read.
2. Active intruder
More dangerous than passive intruder. They want to make changes that are not allowed (unauthorized) on the data.
When designing a system that is secure against intruders, it is important to know the system will be protected from any kind of intruder. Four examples of categories:
1. One's curiosity about private matters of others.
Many people have a PC connected to a network and some people in the network will be able to read e-mails and files of others if there is no 'barrier' is placed. For example, most UNIX systems have a default that all newly created files can be read by others.
2. Infiltration by persons in
Students, system programmers, operators, and technicians assume that broke the local computer security system is a challenge. They are usually very skilled and willing to sacrifice a lot of time to the business.
3. The desire to earn money.
Some programmers banks trying to steal money from the bank where they work in ways such as changing the software to cut interest rates rather than round, save a little money for their own, withdraw money from accounts that have not been used for many years, to blackmail ("Pay me , or I will destroy all your bank records. ")
4. Espionase commercial or military.
Espionase is serious business given the huge funds by a rival or another country to steal programs, trade secrets, patent ideas, technology, business plans, and so forth. Often these efforts involve wiretaping or antenna that is directed to a computer to capture the electromagnetic radiation.
The protection of military secrets from being stolen by other countries is very different from the protection of students who tried to enter the message-of-the-day on a system. It is clear that the number of activities related to security and protection depends on who the "enemy" her.
Security Policy
Wisdom of the usual safeguards that are used are simple and general. In this case means that each user in the system can understand and follow policies that have been determined. The contents of the policy itself is a level of security that can protect critical data stored in the system. These data must be protected from any users who use the system.
Some things to consider in determining the security policy is: who are the have access to the system, who are allowed to install the program into the system, who are having certain data, repairs to the damage that may occur, and the use of reasonable system.
Physical Security
The first security layer that must be taken into account is the physical security of computer systems. Physical security involves measures to secure the location of the computer systems against intruders are armed or who tried to infiltrate into the computer system.
The question that must be answered in ensuring the physical security, among others:
1. Anyone who has direct access into the system?
2. Are they really entitled to?
3. Can the system be protected from the intent and purpose of them?
4. Is it necessary?
Many physical security in the system has a dependence on the budget and the situation at hand. If users are home users, then the possibility of physical security is not much needed. However, if a user works in the lab or computer network, a lot to think about.
Today, many personal computers have the ability to lock. Usually this key form of socket on the front of the casing that could be included key to lock or unlock it. Lock casing to prevent someone to steal from the computer, open it directly to manipulate or steal existing hardware.
Security Software
Examples of security software is the BIOS. The BIOS is a low-level software that configures or manipulates a particular hardware. BIOS can be used to prevent attackers from rebooting the machine and manipulate the Linux system.
Examples of BIOS security can be viewed on Linux, which many PC BIOS allowing to set a boot password. However, this does not provide much security because the BIOS can be reset, or removed if someone can get into the case. However, perhaps the BIOS can be a bit useful. Because if anyone wants to attack the system, to enter the case and reset or remove the BIOS would require considerable time and will leave a mark. This will slow the action a person who tries to attack the system.
Network Security
In essence, computer networks are resources (resources) are shared and can be used by many applications with different purposes. Sometimes, data is transmitted between the applications is confidential, and the application would not want just anyone to read the data.
For example, when buying a product via the internet, the user (users) to enter credit card number into the network. This is dangerous because other people can be easily intercepted and read the data they will be on the network. Therefore, users usually want to encrypt (encrypt) the messages they send, with the aim of preventing people who are not allowed to read the message.
Cryptography
Basic encryption is quite simple. Sender encryption function on a plaintext message, ciphertext is then transmitted through the network, and the recipient decryption function (decryption) to obtain the original plaintext. The process of encryption / decryption depends on the key (key) secret known only to the sender and receiver. When the key and the encryption is used, it is difficult for eavesdroppers to break the ciphertext, so that communication between the sender and receiver data is safe.
Cryptography range is designed to ensure privacy: prevent spread information without permission. However, privacy is not the only service provided by cryptography. Cryptography can also be used to support authentication (verifying user identity) and integrity (ensuring that the message has not been changed.)
Cryptography is used to prevent an unauthorized person to enter the communication, so that data confidentiality can be protected. Broadly speaking, cryptography is used to send and receive messages. Cryptography basically based on the key that has been selectively plated on computers that are in one network and be used to process a message.
Operational
Security operations (operations security) is any action that makes the system operate safely, controlled and protected.
What is meant by the system is a network, computer, environment. A system is declared operational when the system has been declared to function and can be run with a continuous duration, ie from day to day, 24 hours a day, 7 days a week.
Administrative Management (Administrative Management) is the assignment of individuals to manage the security functions of the system. Some related issues:
1. Separation of duties (separation of duty)
Commissioned matters concerning security to some people. For example, the right to install the program into the computer system only admins, users are not given these rights.
2. Least Privilege (minimum access rights)
Each person is given only the minimum permissions required in the implementation of their duties.
3. Need to Know (curiosity)
What is meant by need to know is the knowledge of the information needed to do a job.
The main categories of operational security controls, among others:
1. Preventative Control (preventive control)
To prevent errors and intruders entered the system. For example, preventive controls to prevent the virus entering the system is to install antivirus software.
2. Detective Control (control detection)
To detect errors entering the system. For example, searching for viruses that managed to enter the system.
3. Corrective / Recovery Control (control improvements)
Helps restore lost data through data recovery procedures. For example, repair data exposed to the virus.
Other categories include:
1. Deterrent Control
To encourage compliance (compliance) with external controls.
2. Application Control (control application)
To minimize operations and detect unusual software.
3. Transaction Control (control transactions)
To provide control at various stages of the transaction (from initiation to output, through control testing and change control).
BCP / DRP
Based on the understanding, or the Business Continuity Plan BCP is a sustainable business plan, while the DRP or the Disaster Recovery Plan is a plan for recovery from possible damages that occurred.
Aspects contained within a sustainable business plan is recovery plan from the possibility of such damages occurring. In other words, contained in BCP DRP.
Plans for recovery of damages, whether caused by nature or humans, not only have an impact on a company's computer processing capability, but also will impact the business operations of the company. These defects can turn off the entire operating system. The longer the operation of a company dies, it will be increasingly difficult to rebuild the business of the company.
The basic concept of recovery from the possibility of such damages occurred, ie should be applicable to all companies, both small companies and large corporations. This depends on the size or type of process, whether using a manual process, the process by using a computer, or a combination of both.
In small companies, usually less formal planning process and less complete. While at large companies, formal and comprehensive planning process. If the plan is followed it will provide clues that can reduce the damage that is being or is going to happen.
Audit Process
Audit in the context of information technology is to check whether the computer system running properly.
Seven-step audit process:
1. Implement a risk management strategy based audit and control practices that can be agreed by all parties.
2. Specify the steps detailed audit.
3. Use of facts and material evidence sufficient, reliable, relevant, and useful.
4. Make the report and its conclusions based on facts collected.
5. Review whether the audit objectives achieved.
6. Convey reports to interested parties.
7. Ensure that the organization implements risk management and control practices.
Before running the audit process, of course, the audit process must be planned in advance. Audit planning (planning the audit) should clearly explain the purpose of the audit, the authority of auditors, the approval of top-management, and audit methods.
Audit methodology:
1. Audit subject: determine what will be audited.
2. Audit objectives: determine the purpose of the audit.
3. Audit scope: determining the system, function, and part of an organization that is specific / particular will be audited.
4. Preaudit planning: identify resources and human resources needed, determine what documents are needed to support the audit, determine the location of the audit.
5. Audit procedures and steps for data gathering: to determine how to conduct an audit to examine and test the control, determine who will be interviewed.
6. Evaluation of the test and examination: specific to each organization.
7. Communication procedures with management: specific to each organization.
8. Audit report preparation (determining how to review the audit results): evaluation of the validity of the documents, procedures, and policies of the organization being audited.
The structure and content of audit reports are not standard, but generally consist of:
- Introduction: the purpose, scope, duration of the audit, the audit procedures.
- The general conclusion of the auditor.
- Results of the audit: what is found in the audit, whether proper procedures and controls or not.
- Recommendations.
- The response from management (if necessary).
- Exit interviews: the last interview between the auditor with management to discuss the findings and recommendations for further action. At the same time convince the management team that the results valid.
Summary
Data or important information that should not be accessible by others may be accessed, either read or changed by others. We must have a mechanism that makes violations are rare.
When designing a system that is secure against intruders, it is important to know the system will be protected from any kind of intruder.
To maintain the security of a computer system can be achieved in various ways, including:
- Physical security
it depends on the budget and the situation at hand.
- Security software
examples of the BIOS software security.
- Network security
namely by means of cryptography
DRP (Disaster Recovery Plan) contained in BCP (Business Continuity Plan). DRP basic concept should be applicable to all companies.
Audit process aims to check whether the computer system running properly.
