The Problem 

In the rush to benefit from using the Internet, organizations often overlook significant risks.
the engineering practices and technology used by system providers do not produce systems that are immune to attack network and system operators do not have the people and practices to defend against attacks and minimize damage policy and law in cyber-space are immature and lag the pace of change
There is continued movement to complex,client-server and heterogeneous configurations with distributed management.
There is little evidence of security improvements in most products; new vulnerabilities are found routinely.
Comprehensive security solutions are lacking; current tools address only parts of the problem
Engineering for ease of use has not been matched by engineering for ease of secure administration
ease of use and increased utility are driving a dramatic explosion in use system administration and security administration are more difficult than a decade ago


It’s going to get worse
Explosive growth of the Internet continues ,continues to double in size every 10-12 months where will all the capable system administrators come from?

Market growth will drive vendors time to market, features, performance, cost  are primary “invisible” quality features such as security are secondary.


More sensitive applications connected to the Internet

• low cost of communications, ease of connection, and power of products engineered for the Internet will drive out other forms of networking
• hunger for data and benefits of electronic interaction will continue to push widespread use of information technology 
• The market for security products and services is growing faster than the supply of quality product and service providers
  An informed consumer base needs understanding, not just awareness
  Sometimes the suppliers don’t understand either
  “If you want it badly, you’ll get it badly”

Increased understanding by technology users will build demand for quality security products; vendors will pay attention to the market.Technology will continue to improve:

• encryption
• strong authentication
• survivable systems
• Increased collaboration across government and industry
• Strong market for security professionals will eventually drive graduate and certificate programs

Pertanyaan
1. Apa masalahnya?
2. Mengapa masalahnya semakin besar?
3. Apa yang harus dikembangkan dari teknologi untuk menghadapi masalah tersebut?

• conduct electronic commerce
• provide better customer service
• collaborate with partners
• reduce communications costs
• improve internal communication
• access needed information rapidly

• money
• time
• products
• reputation
• sensitive information

…but instead, “to make the system as secure as possible within certain constraints” (cost, usability, convenience). Jelaskan maksud kalimat tersebut?

5. Apa yang dimaksud dengan "social engineering" pada human factor?

Anti-virus Packages
Virus protection software is packaged with most
computers and can counter most virus threats if the
software is regularly updated and correctly maintained.
The anti-virus industry relies on a vast network of users to
provide early warnings of new viruses, so that antidotes
can be developed and distributed quickly. With thousands
of new viruses being generated every month, it is essential
that the virus database is kept up to date. The virus
database is the record held by the anti-virus package that
helps it to identify known viruses when they attempt to
strike. Reputable anti-virus software vendors will publish
the latest antidotes on their Web sites, and the software
can prompt users to periodically collect new data.
Network security policy should stipulate that all
computers on the network are kept up to date and, ideally,
are all protected by the same anti-virus package—if only
to keep maintenance and update costs to a minimum. It is
also essential to update the software itself on a regular
basis. Virus authors often make getting past the anti-virus
packages their first priority.

Security Policies
When setting up a network, whether it is a local area
network (LAN), virtual LAN (VLAN), or wide area
network (WAN), it is important to initially set the
fundamental security policies. Security policies are rules
that are electronically programmed and stored within
security equipment to control such areas as access
privileges. Of course, security policies are also written or
verbal regulations by which an organization operates. In
addition, companies must decide who is responsible for
enforcing and managing these policies and determine how
employees are informed of the rules and watch guards.
Security Policy, Device, and Multidevice Management
functions as a central security control room where security
personnel monitor building or campus security, initiate
patrols, and activate alarms.
What are the policies?The policies that are implemented should control who
has access to which areas of the network and how
unauthorized users are going to be prevented from entering
restricted areas. For example, generally only members of
the human resources department should have access to
employee salary histories. Passwords usually prevent
employees from entering restricted areas, but only if the
passwords remain private. Written policies as basic as to
warn employees against posting their passwords in work
areas can often preempt security breaches. Customers or
suppliers with access to certain parts of the network, must
be adequately regulated by the policies as well.
Who will enforce and manage the policies?The individual or group of people who police and
maintain the network and its security must have access to
every area of the network. Therefore, the security policy
management function should be assigned to people who
are extremely trustworthy and have the technical
competence required. As noted earlier, the majority of
network security breaches come from within, so this
person or group must not be a potential threat. Once
assigned, network managers may take advantage of
sophisticated software tools that can help define,
distribute, enforce, and audit security policies through
browser-based interfaces.
How will you communicate the policies?Policies are essentially useless if all of the involved parties
do not know and understand them. It is vital to have
effective mechanisms in place for communicating the
existing policies, policy changes, new policies, and
security alerts regarding impending viruses or attacks.
Identity
Once your policies are set, identity methods and
technologies must be employed to help positively
authenticate and verify users and their access privileges.
Access Control Servers function like door access cards and the
gatekeeper that oversees site security, providing centralized
authorization, authentication and accounting (AAA) for traffic
and users.
Passwords
Making sure that certain areas of the network are
“password protected”—only accessible by those with
particular passwords—is the simplest and most common
way to ensure that only those who have permission can
enter a particular part of the network. In the physical
security analogy above, passwords are analogous to
badge access cards. However, the most powerful network
security infrastructures are virtually ineffective if people
do not protect their passwords. Many users choose easily
remembered numbers or words as passwords, such as
birthdays, phone numbers, or pets’ names, and others
never change their passwords and are not very careful
about keeping them secret. The golden rules, or policies,
for passwords are:
• Change passwords regularly
• Make passwords as meaningless as possible
• Never divulge passwords to anyone until leaving the
company
In the future, some passwords may be replaced by
biometrics, which is technology that identifies users based
on physical characteristics, such as fingerprints, eye
prints, or voice prints.
Digital Certificates
Digital certificates or public key certificates are the
electronic equivalents of driver’s licenses or passports, and
are issued by designated Certificate Authorities (CAs).
Digital certificates are most often used for identification
when establishing secure tunnels through the Internet,
such as in virtual private networking (VPN).
Access Control
Before a user gains access to the network with his
password, the network must evaluate if the password is
valid. Access control servers validate the user’s identity
and determine which areas or information the user can
access based on stored user profiles. In the physical
security analogy, access control servers are equivalent to
the gatekeeper who oversees the use of the access card.
Access Control Lists and Firewalls are analogous to door locks
on building perimeters that allow only authorized users (those
with keys or badges) access in or out.
Firewalls
A firewall is a hardware or software solution implemented
within the network infrastructure to enforce an
organization’s security policies by restricting access to
specific network resources. In the physical security
analogy, a firewall is the equivalent to a door lock on a
perimeter door or on a door to a room inside of the
building—it permits only authorized users, such as those
with a key or access card, to enter. Firewall technology is
even available in versions suitable for home use. The
firewall creates a protective layer between the network
and the outside world. In effect, the firewall replicates the
network at the point of entry so that it can receive and
transmit authorized data without significant delay.
However, it has built-in filters that can disallow
unauthorized or potentially dangerous material from
entering the real system. It also logs an attempted
intrusion and reports it to the network administrators.
EncryptionEncryption technology ensures that messages cannot be
intercepted or read by anyone other than the authorized
recipient. Encryption is usually deployed to protect data
that is transported over a public network and uses
advanced mathematical algorithms to “scramble”
messages and their attachments. Several types of
encryption algorithms exist, but some are more secure
than others. Encryption provides the security necessary to
sustain the increasingly popular VPN technology. VPNs
are private connections, or tunnels, over public networks
such as the Internet. They are deployed to connect
telecommuters, mobile workers, branch offices, and
business partners to corporate networks or each other. All
VPN hardware and software devices support advanced
encryption technology to provide the utmost protection
for the data that they transport.
Virtual Private Networks (VPNs) are analogous to armored
cars that carry precious cargo to an assigned drop-off point
to ensure secure and confidential passage.
Intrusion DetectionOrganizations continue to deploy firewalls as their central
gatekeepers to prevent unauthorized users from entering
their networks. However, network security is in many
ways similar to physical security in that no one technology
serves all needs—rather, a layered defense provides the
best results. Organizations are increasingly looking to
additional security technologies to counter risk and
vulnerability that firewalls alone cannot address. A
network-based intrusion detection system (IDS) provides
around-the-clock network surveillance. An IDS analyzes
packet data streams within a network, searching for
unauthorized activity, such as attacks by hackers, and
enabling users to respond to security breaches before
systems are compromised. When unauthorized activity is
detected, the IDS can send alarms to a management
console with details of the activity and can often order
other systems, such as routers, to cut off the unauthorized
sessions. In the physical analogy, an IDS is equivalent to a
video camera and motion sensor; detecting unauthorized or
suspicious activity and working with automated response
systems, such as watch guards, to stop the activity.
Intrusion Detection is analogous to a surveillance camera
and motion sensor detecting activity, triggering alerts, and
generating an armed response. Scanning is like a security
guard that checks and closes open doors or windows before
they can be breached.
3. Apa yang anda ketahui tentang security policies?