Watung Blog

Security = Risk Management

Thursday October 6, 2005 | Filed under: Management

Security… Nostalgia lama. Waktu browsing-browsing lagi, yah nggak banyak berubah dari dulu sampe sekarang:

…format string vulnerabilities exist in a component of Checkpoint’s FireWall-1… a buffer overflow exists within the Symantec firewall product line… Successful exploitation of this flaw yields remote KERNEL access to the system… a remote code execution vulnerability exist in Barracuda Spam Firewall…

Dan sebagainya. Dan sebagainya… It means only one thing: we cannot depend on products.


Malahan sebenarnya, semakin kita bergantung pada product, semakin insecured kita. Ya nggak sih? Karena orang yg totally bergantung, dia sebenarnya nggak paham medan dan keterbatasannya. Dia nggak paham bahwa antivirus harus diupdate karena ada 300 virus baru setiap bulannya. Dia nggak paham bahwa firewall cuman pagar-pagar yg nggak bisa membedakan siapa yg keluar-masuk. Dia nggak paham bahwa hari ini dia bisa secure, besok siapa tahu.

Ada pepatah lama: security of a system is only as good as the weakest point in the system. Nah, what is weakest point hall of fame? Ya user! Contoh: secanggih apapun KlikBCA misalnya (sampe memanggil konsultan dari ICSA segala lho), tapi kalo para usernya bisa ditrap masuk ke “kilkbca.com” instead of klikbca.com?

Watung, let’s forget the user, kita konsentrasi di scope kita aja, is it possible to have a good enough, secured system? Well… what d’we mean by “good enough”? Buat kebanyakan orang, good-enough is 100% secured, and remember: it is only as good as the weakest point… Mau secanggih apapun sistem kita, seperti kata Pak Schneier yg “ajarannya” tentang Window of Exposure bener-bener enlightening, tetap ada suatu selang waktu ketika kita bener-bener totally insecure…

Mindset-nya sih barangkali yg musti dirubah. Faktanya: you cannot depend on products (though we still need them!), bahkan ketika kita udah update regular-patch semua komponen, kita tetep nggak bisa jamin akan secure (even 80%!) sepanjang waktu. Cara pandangnya mustinya nggak lagi ke situ, tapi lebih ke persoalan Risk-Management. Bukan lagi “how to secure the system”, tapi lebih ke “what to do when the system is breached?”

Praktis sehari-hari: instead of masang IDS dan firewall aneh-aneh, tweaking sana-sini di laptop kita yg isinya sebenarnya cuman JPEGs, mending mikirin resikonya gimana kalo laptop ini kena virus yg — nggak ada kerjaan banget — ngehapus semua file? What will you do? Backup, backup, backup… Lebih simple kan? Bahkan itu bisa mengatasi kalo laptop kita kecemplung di Laut Arafuru misalnya. ;-)


3 Comments »

electric cigarette says:

Look At Your Diet plan

» Comment by electric cigarette — October 28, 2011 @ 8:18 pm

i need money says:

What exactly do you actually signify? Isn’t that your entire point with this dicussion? You need to shed light on your position?

» Comment by i need money — November 7, 2011 @ 2:39 am

need money says:

Avoid stating I need money and come determine what you can do about it

» Comment by need money — November 8, 2011 @ 12:40 am

 

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

(required, but will not be displayed)


Main weblog feedMain weblog feed
Comments feedComments feed

Recent commentsRecent comments
Top postsTop posts

Contents
Home
Contact me
Emerging friends
Photos
Bookmarks

Categories
Spirituality
Family
Management
Fun Stuff
Misc

Garis
RSS | My Yahoo! | Google | Bloglines | My AOL | FeedLounge
All contents ©2005-2010 by Watung Arif, unless otherwise noted.
Contents under Creative Commons License.