Pertemuan 16 Security Policies Matakuliah :A0334/Pengendalian Lingkungan Online Tahun : 2005 Versi : 1/1 Pertemuan 16 Security Policies

Mahasiswa dapat menyatakan Security Policies Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : Mahasiswa dapat menyatakan Security Policies

Open Source in The Enterprise Outline Materi Security Testing So How Is Security Testing Carried Out? Open Source in The Enterprise

Security Testing How often do we hear in the news about customers finding faults in e-commerce websites and the negative publicity it brings? Yet we still find ourselves saying ‘if our e-commerce system isn’t working, our customers will soon let us know’. Relying on customers to test your system is the best way to lose them. Banking and e-commerce customers are often the first to notice when things go wrong, even before the website’s IT staff and long before directors and senior management.

E-commerce customers are often headline news for being unable to access their own accounts, being presented with other users’ personal details or finding credit card lists online. Such problems are not confined to the consumer arena. Commercial, legal and industrial firms often share clients’ confidential data,plans and proposals online, in an insecure environment leaving them vulnerable to outsiders. The loss of client confidence can spread like a cancer if not checked.

Sometimes security problems arise during internal system changes by IT staff, but often it is the result of something more malicious, such as hackers testing their ‘cybermuscles’ in order to deny user access, or those with more sinister, criminal intent. The more subtle attackers may gain access and do nothing to draw attention to their presence. Hacker ‘toolkits’ can be hidden within existing data. Changes may not be noticed for months.

Vulnerabilities to such attacks may appear in previously watertight systems whenever the systems are internally upgraded or reconfigured. Even adding a firewall an lead to other vulnerabilities. Few IT systems these days are static. Network security is something none of us can afford to compromise. Valuable IT time and resources may be required to recover systems, business can be lost in the short-term, but most importantly reputations can be permanently damaged.

While most off-the-shelf systems are extensively tested,many larger organisations prefer to design and build their own, although such bespoke systems are especially vulnerable. They are often complex and it is difficult to be sure that the system is working correctly, even though you have looked at all of the components and fitted them together properly. Regular penetration testing can help you to know your system’s vulnerabilities and to do something about them before any trouble arrives.

You might ask yourself how well you know your system, particularly if changes are made on a regular basis by different IT staff.

So How Is Security Testing Carried Out? ‘Regular Monitor’ penetration testing involves NTA looking at the vulnerability of a network from the point of view of a potential attacker and searching for any weakness that could be exploited to gain access to a system. However, this is done within very strict parameters. Security holes are located, identified and reported,but they are not exploited to gain access to a system. However, this is done within very strict parameters. Security holes are located, identified and reported, but they are not exploited.

Security testing gives operators greater confidence in their systems and gives their customers greater trust, safe in the knowledge that data and communications are secure. Never let the customer be the one to inform you that things are going wrong. To put your Internet customers first, first regularly check your system.

Open Source in The Enterprise In proprietary software, a single company claims ‘ownership’ of the software, and keeps a tight grip on its ‘intellectual property’. Often part of the ‘intellectual property’ they so carefully guard is the nature of that ‘intellectual property’ itself. The security community at large has a long history of taking matters into its own hands in a virtual ‘name and shame’ tradition, where security flaws in many products, commercial or otherwise are openly discussed.

The End